History log of /openbsd-current/sys/netinet/ip_ipsp.h
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 1.245 17-Apr-2024 bluhm

Use struct ipsec_level within inpcb.

Instead of passing around u_char[4], introduce struct ipsec_level
that contains 4 ipsec levels. This provides better type safety.
The embedding struct inpcb is globally visible for netstat(1), so
put struct ipsec_level outside of #ifdef _KERNEL.

OK deraadt@ mvs@


Revision tags: OPENBSD_7_5_BASE
# 1.244 26-Nov-2023 bluhm

Remove inp parameter from ip_output().

ip_output() received inp as parameter. This is only used to lookup
the IPsec level of the socket. Reasoning about MP locking is much
easier if only relevant data is passed around. Convert ip_output()
to receive constant inp_seclevel as argument and mark it as protected
by net lock.

OK mvs@


# 1.243 11-Oct-2023 tobhe

Prevent deref-after-free when tdb_timeout() fires on invalid new tdb.

When receiving a pfkeyv2 SADB_ADD message, a newly created tdb can
fail in tdb_init(), which causes the tdb to not get added to the
global tdb list and an immediate dereference. If a lifetime timeout
triggers on this tdb, it will unconditionally try to remove it from
the list and in the process deref once more than allowed,
causing a one bit corruption in the already freed up slot in the
tdb pool.

We resolve this issue by moving timeout_add() after tdb_init()
just before puttdb(). This means tdbs failing initialization
get discarded immediately as they only hold a single reference.
Valid tdbs get their timeouts activated just before we add them
to the tdb list, meaning the timeout can safely assume they are
linked.

Feedback from mvs@ and millert@
ok mvs@ mbuhl@


Revision tags: OPENBSD_7_4_BASE
# 1.242 07-Aug-2023 dlg

start adding support for route-based ipsec vpns.

rather than use ipsec flows (aka, entries in the ipsec security
policy database) to decide which traffic should be encapsulated in
ipsec and sent to a peer, this tweaks security associations (SAs)
so they can refer to a tunnel interface. when traffic is routed
over that tunnel interface, an ipsec SA is looked up and used to
encapsulate traffic before being sent to the peer on the SA. When
traffic is received from a peer using an interface SA, the specified
interface is looked up and the packet is handed to it so it looks
like packets come out of the tunnel.

to support this, SAs get a TDBF_IFACE flag and iface and iface_dir
fields. When TDBF_IFACE is set the iface and dir fields are
considered valid, and the tdb/SA should be used with the tunnel
interface instead of the SPD.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@


# 1.241 06-Jul-2023 dlg

big update to pfsync to try and clean up locking in particular.

moving pf forward has been a real struggle, and pfsync has been a
constant source of pain. we have been papering over the problems
for a while now, but it reached the point that it needed a fundamental
restructure, which is what this diff is.

the big headliner changes in this diff are:

- pfsync specific locks

this is the whole reason for this diff.

rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now
has it's own locks to protect it's internal data structures. this
is important because pfsync runs a bunch of timeouts and tasks to
push pfsync packets out on the wire, or when it's handling requests
generated by incoming pfsync packets, both of which happen outside
pf itself running. having pfsync specific locks around pfsync data
structures makes the mutations of these data structures a lot more
explicit and auditable.

- partitioning

to enable future parallelisation of the network stack, this rewrite
includes support for pfsync to partition states into different "slices".
these slices run independently, ie, the states collected by one slice
are serialised into a separate packet to the states collected and
serialised by another slice.

states are mapped to pfsync slices based on the pf state hash, which
is the same hash that the rest of the network stack and multiq
hardware uses.

- no more pfsync called from netisr

pfsync used to be called from netisr to try and bundle packets, but now
that there's multiple pfsync slices this doesnt make sense. instead it
uses tasks in softnet tqs.

- improved bulk transfer handling

there's shiny new state machines around both the bulk transmit and
receive handling. pfsync used to do horrible things to carp demotion
counters, but now it is very predictable and returns the counters back
where they started.

- better tdb handling

the tdb handling was pretty hairy, but hrvoje has kicked this around
a lot with ipsec and sasyncd and we've found and fixed a bunch of
issues as a result of that testing.

- mpsafe pf state purges

this was committed previously, but because the locks pfsync relied on
weren't clear this just caused a ton of bugs. as part of this diff it's
now reliable, and moves a big chunk of work out from under KERNEL_LOCK,
which in turn improves the responsiveness and throughput of a firewall
even if you're not using pfsync.

there's a bunch of other little changes along the way, but the above are
the big ones.

hrvoje has done performance testing with this diff and notes a big
improvement when pfsync is not in use. performance when pfsync is
enabled is about the same, but im hoping the slices means we can scale
along with pf as it improves.

lots (months) of testing by me and hrvoje on pfsync boxes
tests and ok sashan@
deraadt@ says this is a good time to put it in


Revision tags: OPENBSD_7_2_BASE OPENBSD_7_3_BASE
# 1.240 14-Jul-2022 mvs

Use capital letters for global ipsec(4) locks description. Use 'D'
instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase.

No functional changes.

ok bluhm@


# 1.239 30-Apr-2022 mvs

When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do
`id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list'
list modifications, otherwise concurrent ipsp_ids_insert() could remove
this dying `ids' from the list before if was placed there by
ipsp_ids_free(). This makes atomic operations with `id_refcount' useless.
Also prevent ipsp_ids_lookup() to return dying `ids'.

ok bluhm@


# 1.238 21-Apr-2022 sashan

Introduce a dedicated link entries for snapshots in pfsync(4). The purpose
of snapshots is to allow pfsync(4) to move items from global lists
to local lists (a.k.a. snapshots) under a mutex protection. Snapshots
are then processed without holding any mutexes. Such idea does not fly
well if link entry is currently used for global lists as well as snapshots.
Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing.

OK bluhm@


Revision tags: OPENBSD_7_1_BASE
# 1.237 13-Mar-2022 bluhm

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.244 26-Nov-2023 bluhm

Remove inp parameter from ip_output().

ip_output() received inp as parameter. This is only used to lookup
the IPsec level of the socket. Reasoning about MP locking is much
easier if only relevant data is passed around. Convert ip_output()
to receive constant inp_seclevel as argument and mark it as protected
by net lock.

OK mvs@


# 1.243 11-Oct-2023 tobhe

Prevent deref-after-free when tdb_timeout() fires on invalid new tdb.

When receiving a pfkeyv2 SADB_ADD message, a newly created tdb can
fail in tdb_init(), which causes the tdb to not get added to the
global tdb list and an immediate dereference. If a lifetime timeout
triggers on this tdb, it will unconditionally try to remove it from
the list and in the process deref once more than allowed,
causing a one bit corruption in the already freed up slot in the
tdb pool.

We resolve this issue by moving timeout_add() after tdb_init()
just before puttdb(). This means tdbs failing initialization
get discarded immediately as they only hold a single reference.
Valid tdbs get their timeouts activated just before we add them
to the tdb list, meaning the timeout can safely assume they are
linked.

Feedback from mvs@ and millert@
ok mvs@ mbuhl@


Revision tags: OPENBSD_7_4_BASE
# 1.242 07-Aug-2023 dlg

start adding support for route-based ipsec vpns.

rather than use ipsec flows (aka, entries in the ipsec security
policy database) to decide which traffic should be encapsulated in
ipsec and sent to a peer, this tweaks security associations (SAs)
so they can refer to a tunnel interface. when traffic is routed
over that tunnel interface, an ipsec SA is looked up and used to
encapsulate traffic before being sent to the peer on the SA. When
traffic is received from a peer using an interface SA, the specified
interface is looked up and the packet is handed to it so it looks
like packets come out of the tunnel.

to support this, SAs get a TDBF_IFACE flag and iface and iface_dir
fields. When TDBF_IFACE is set the iface and dir fields are
considered valid, and the tdb/SA should be used with the tunnel
interface instead of the SPD.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@


# 1.241 06-Jul-2023 dlg

big update to pfsync to try and clean up locking in particular.

moving pf forward has been a real struggle, and pfsync has been a
constant source of pain. we have been papering over the problems
for a while now, but it reached the point that it needed a fundamental
restructure, which is what this diff is.

the big headliner changes in this diff are:

- pfsync specific locks

this is the whole reason for this diff.

rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now
has it's own locks to protect it's internal data structures. this
is important because pfsync runs a bunch of timeouts and tasks to
push pfsync packets out on the wire, or when it's handling requests
generated by incoming pfsync packets, both of which happen outside
pf itself running. having pfsync specific locks around pfsync data
structures makes the mutations of these data structures a lot more
explicit and auditable.

- partitioning

to enable future parallelisation of the network stack, this rewrite
includes support for pfsync to partition states into different "slices".
these slices run independently, ie, the states collected by one slice
are serialised into a separate packet to the states collected and
serialised by another slice.

states are mapped to pfsync slices based on the pf state hash, which
is the same hash that the rest of the network stack and multiq
hardware uses.

- no more pfsync called from netisr

pfsync used to be called from netisr to try and bundle packets, but now
that there's multiple pfsync slices this doesnt make sense. instead it
uses tasks in softnet tqs.

- improved bulk transfer handling

there's shiny new state machines around both the bulk transmit and
receive handling. pfsync used to do horrible things to carp demotion
counters, but now it is very predictable and returns the counters back
where they started.

- better tdb handling

the tdb handling was pretty hairy, but hrvoje has kicked this around
a lot with ipsec and sasyncd and we've found and fixed a bunch of
issues as a result of that testing.

- mpsafe pf state purges

this was committed previously, but because the locks pfsync relied on
weren't clear this just caused a ton of bugs. as part of this diff it's
now reliable, and moves a big chunk of work out from under KERNEL_LOCK,
which in turn improves the responsiveness and throughput of a firewall
even if you're not using pfsync.

there's a bunch of other little changes along the way, but the above are
the big ones.

hrvoje has done performance testing with this diff and notes a big
improvement when pfsync is not in use. performance when pfsync is
enabled is about the same, but im hoping the slices means we can scale
along with pf as it improves.

lots (months) of testing by me and hrvoje on pfsync boxes
tests and ok sashan@
deraadt@ says this is a good time to put it in


Revision tags: OPENBSD_7_2_BASE OPENBSD_7_3_BASE
# 1.240 14-Jul-2022 mvs

Use capital letters for global ipsec(4) locks description. Use 'D'
instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase.

No functional changes.

ok bluhm@


# 1.239 30-Apr-2022 mvs

When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do
`id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list'
list modifications, otherwise concurrent ipsp_ids_insert() could remove
this dying `ids' from the list before if was placed there by
ipsp_ids_free(). This makes atomic operations with `id_refcount' useless.
Also prevent ipsp_ids_lookup() to return dying `ids'.

ok bluhm@


# 1.238 21-Apr-2022 sashan

Introduce a dedicated link entries for snapshots in pfsync(4). The purpose
of snapshots is to allow pfsync(4) to move items from global lists
to local lists (a.k.a. snapshots) under a mutex protection. Snapshots
are then processed without holding any mutexes. Such idea does not fly
well if link entry is currently used for global lists as well as snapshots.
Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing.

OK bluhm@


Revision tags: OPENBSD_7_1_BASE
# 1.237 13-Mar-2022 bluhm

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.243 11-Oct-2023 tobhe

Prevent deref-after-free when tdb_timeout() fires on invalid new tdb.

When receiving a pfkeyv2 SADB_ADD message, a newly created tdb can
fail in tdb_init(), which causes the tdb to not get added to the
global tdb list and an immediate dereference. If a lifetime timeout
triggers on this tdb, it will unconditionally try to remove it from
the list and in the process deref once more than allowed,
causing a one bit corruption in the already freed up slot in the
tdb pool.

We resolve this issue by moving timeout_add() after tdb_init()
just before puttdb(). This means tdbs failing initialization
get discarded immediately as they only hold a single reference.
Valid tdbs get their timeouts activated just before we add them
to the tdb list, meaning the timeout can safely assume they are
linked.

Feedback from mvs@ and millert@
ok mvs@ mbuhl@


Revision tags: OPENBSD_7_4_BASE
# 1.242 07-Aug-2023 dlg

start adding support for route-based ipsec vpns.

rather than use ipsec flows (aka, entries in the ipsec security
policy database) to decide which traffic should be encapsulated in
ipsec and sent to a peer, this tweaks security associations (SAs)
so they can refer to a tunnel interface. when traffic is routed
over that tunnel interface, an ipsec SA is looked up and used to
encapsulate traffic before being sent to the peer on the SA. When
traffic is received from a peer using an interface SA, the specified
interface is looked up and the packet is handed to it so it looks
like packets come out of the tunnel.

to support this, SAs get a TDBF_IFACE flag and iface and iface_dir
fields. When TDBF_IFACE is set the iface and dir fields are
considered valid, and the tdb/SA should be used with the tunnel
interface instead of the SPD.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@


# 1.241 06-Jul-2023 dlg

big update to pfsync to try and clean up locking in particular.

moving pf forward has been a real struggle, and pfsync has been a
constant source of pain. we have been papering over the problems
for a while now, but it reached the point that it needed a fundamental
restructure, which is what this diff is.

the big headliner changes in this diff are:

- pfsync specific locks

this is the whole reason for this diff.

rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now
has it's own locks to protect it's internal data structures. this
is important because pfsync runs a bunch of timeouts and tasks to
push pfsync packets out on the wire, or when it's handling requests
generated by incoming pfsync packets, both of which happen outside
pf itself running. having pfsync specific locks around pfsync data
structures makes the mutations of these data structures a lot more
explicit and auditable.

- partitioning

to enable future parallelisation of the network stack, this rewrite
includes support for pfsync to partition states into different "slices".
these slices run independently, ie, the states collected by one slice
are serialised into a separate packet to the states collected and
serialised by another slice.

states are mapped to pfsync slices based on the pf state hash, which
is the same hash that the rest of the network stack and multiq
hardware uses.

- no more pfsync called from netisr

pfsync used to be called from netisr to try and bundle packets, but now
that there's multiple pfsync slices this doesnt make sense. instead it
uses tasks in softnet tqs.

- improved bulk transfer handling

there's shiny new state machines around both the bulk transmit and
receive handling. pfsync used to do horrible things to carp demotion
counters, but now it is very predictable and returns the counters back
where they started.

- better tdb handling

the tdb handling was pretty hairy, but hrvoje has kicked this around
a lot with ipsec and sasyncd and we've found and fixed a bunch of
issues as a result of that testing.

- mpsafe pf state purges

this was committed previously, but because the locks pfsync relied on
weren't clear this just caused a ton of bugs. as part of this diff it's
now reliable, and moves a big chunk of work out from under KERNEL_LOCK,
which in turn improves the responsiveness and throughput of a firewall
even if you're not using pfsync.

there's a bunch of other little changes along the way, but the above are
the big ones.

hrvoje has done performance testing with this diff and notes a big
improvement when pfsync is not in use. performance when pfsync is
enabled is about the same, but im hoping the slices means we can scale
along with pf as it improves.

lots (months) of testing by me and hrvoje on pfsync boxes
tests and ok sashan@
deraadt@ says this is a good time to put it in


Revision tags: OPENBSD_7_2_BASE OPENBSD_7_3_BASE
# 1.240 14-Jul-2022 mvs

Use capital letters for global ipsec(4) locks description. Use 'D'
instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase.

No functional changes.

ok bluhm@


# 1.239 30-Apr-2022 mvs

When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do
`id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list'
list modifications, otherwise concurrent ipsp_ids_insert() could remove
this dying `ids' from the list before if was placed there by
ipsp_ids_free(). This makes atomic operations with `id_refcount' useless.
Also prevent ipsp_ids_lookup() to return dying `ids'.

ok bluhm@


# 1.238 21-Apr-2022 sashan

Introduce a dedicated link entries for snapshots in pfsync(4). The purpose
of snapshots is to allow pfsync(4) to move items from global lists
to local lists (a.k.a. snapshots) under a mutex protection. Snapshots
are then processed without holding any mutexes. Such idea does not fly
well if link entry is currently used for global lists as well as snapshots.
Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing.

OK bluhm@


Revision tags: OPENBSD_7_1_BASE
# 1.237 13-Mar-2022 bluhm

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.242 07-Aug-2023 dlg

start adding support for route-based ipsec vpns.

rather than use ipsec flows (aka, entries in the ipsec security
policy database) to decide which traffic should be encapsulated in
ipsec and sent to a peer, this tweaks security associations (SAs)
so they can refer to a tunnel interface. when traffic is routed
over that tunnel interface, an ipsec SA is looked up and used to
encapsulate traffic before being sent to the peer on the SA. When
traffic is received from a peer using an interface SA, the specified
interface is looked up and the packet is handed to it so it looks
like packets come out of the tunnel.

to support this, SAs get a TDBF_IFACE flag and iface and iface_dir
fields. When TDBF_IFACE is set the iface and dir fields are
considered valid, and the tdb/SA should be used with the tunnel
interface instead of the SPD.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@


# 1.241 06-Jul-2023 dlg

big update to pfsync to try and clean up locking in particular.

moving pf forward has been a real struggle, and pfsync has been a
constant source of pain. we have been papering over the problems
for a while now, but it reached the point that it needed a fundamental
restructure, which is what this diff is.

the big headliner changes in this diff are:

- pfsync specific locks

this is the whole reason for this diff.

rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now
has it's own locks to protect it's internal data structures. this
is important because pfsync runs a bunch of timeouts and tasks to
push pfsync packets out on the wire, or when it's handling requests
generated by incoming pfsync packets, both of which happen outside
pf itself running. having pfsync specific locks around pfsync data
structures makes the mutations of these data structures a lot more
explicit and auditable.

- partitioning

to enable future parallelisation of the network stack, this rewrite
includes support for pfsync to partition states into different "slices".
these slices run independently, ie, the states collected by one slice
are serialised into a separate packet to the states collected and
serialised by another slice.

states are mapped to pfsync slices based on the pf state hash, which
is the same hash that the rest of the network stack and multiq
hardware uses.

- no more pfsync called from netisr

pfsync used to be called from netisr to try and bundle packets, but now
that there's multiple pfsync slices this doesnt make sense. instead it
uses tasks in softnet tqs.

- improved bulk transfer handling

there's shiny new state machines around both the bulk transmit and
receive handling. pfsync used to do horrible things to carp demotion
counters, but now it is very predictable and returns the counters back
where they started.

- better tdb handling

the tdb handling was pretty hairy, but hrvoje has kicked this around
a lot with ipsec and sasyncd and we've found and fixed a bunch of
issues as a result of that testing.

- mpsafe pf state purges

this was committed previously, but because the locks pfsync relied on
weren't clear this just caused a ton of bugs. as part of this diff it's
now reliable, and moves a big chunk of work out from under KERNEL_LOCK,
which in turn improves the responsiveness and throughput of a firewall
even if you're not using pfsync.

there's a bunch of other little changes along the way, but the above are
the big ones.

hrvoje has done performance testing with this diff and notes a big
improvement when pfsync is not in use. performance when pfsync is
enabled is about the same, but im hoping the slices means we can scale
along with pf as it improves.

lots (months) of testing by me and hrvoje on pfsync boxes
tests and ok sashan@
deraadt@ says this is a good time to put it in


Revision tags: OPENBSD_7_2_BASE OPENBSD_7_3_BASE
# 1.240 14-Jul-2022 mvs

Use capital letters for global ipsec(4) locks description. Use 'D'
instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase.

No functional changes.

ok bluhm@


# 1.239 30-Apr-2022 mvs

When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do
`id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list'
list modifications, otherwise concurrent ipsp_ids_insert() could remove
this dying `ids' from the list before if was placed there by
ipsp_ids_free(). This makes atomic operations with `id_refcount' useless.
Also prevent ipsp_ids_lookup() to return dying `ids'.

ok bluhm@


# 1.238 21-Apr-2022 sashan

Introduce a dedicated link entries for snapshots in pfsync(4). The purpose
of snapshots is to allow pfsync(4) to move items from global lists
to local lists (a.k.a. snapshots) under a mutex protection. Snapshots
are then processed without holding any mutexes. Such idea does not fly
well if link entry is currently used for global lists as well as snapshots.
Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing.

OK bluhm@


Revision tags: OPENBSD_7_1_BASE
# 1.237 13-Mar-2022 bluhm

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.241 06-Jul-2023 dlg

big update to pfsync to try and clean up locking in particular.

moving pf forward has been a real struggle, and pfsync has been a
constant source of pain. we have been papering over the problems
for a while now, but it reached the point that it needed a fundamental
restructure, which is what this diff is.

the big headliner changes in this diff are:

- pfsync specific locks

this is the whole reason for this diff.

rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now
has it's own locks to protect it's internal data structures. this
is important because pfsync runs a bunch of timeouts and tasks to
push pfsync packets out on the wire, or when it's handling requests
generated by incoming pfsync packets, both of which happen outside
pf itself running. having pfsync specific locks around pfsync data
structures makes the mutations of these data structures a lot more
explicit and auditable.

- partitioning

to enable future parallelisation of the network stack, this rewrite
includes support for pfsync to partition states into different "slices".
these slices run independently, ie, the states collected by one slice
are serialised into a separate packet to the states collected and
serialised by another slice.

states are mapped to pfsync slices based on the pf state hash, which
is the same hash that the rest of the network stack and multiq
hardware uses.

- no more pfsync called from netisr

pfsync used to be called from netisr to try and bundle packets, but now
that there's multiple pfsync slices this doesnt make sense. instead it
uses tasks in softnet tqs.

- improved bulk transfer handling

there's shiny new state machines around both the bulk transmit and
receive handling. pfsync used to do horrible things to carp demotion
counters, but now it is very predictable and returns the counters back
where they started.

- better tdb handling

the tdb handling was pretty hairy, but hrvoje has kicked this around
a lot with ipsec and sasyncd and we've found and fixed a bunch of
issues as a result of that testing.

- mpsafe pf state purges

this was committed previously, but because the locks pfsync relied on
weren't clear this just caused a ton of bugs. as part of this diff it's
now reliable, and moves a big chunk of work out from under KERNEL_LOCK,
which in turn improves the responsiveness and throughput of a firewall
even if you're not using pfsync.

there's a bunch of other little changes along the way, but the above are
the big ones.

hrvoje has done performance testing with this diff and notes a big
improvement when pfsync is not in use. performance when pfsync is
enabled is about the same, but im hoping the slices means we can scale
along with pf as it improves.

lots (months) of testing by me and hrvoje on pfsync boxes
tests and ok sashan@
deraadt@ says this is a good time to put it in


Revision tags: OPENBSD_7_2_BASE OPENBSD_7_3_BASE
# 1.240 14-Jul-2022 mvs

Use capital letters for global ipsec(4) locks description. Use 'D'
instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase.

No functional changes.

ok bluhm@


# 1.239 30-Apr-2022 mvs

When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do
`id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list'
list modifications, otherwise concurrent ipsp_ids_insert() could remove
this dying `ids' from the list before if was placed there by
ipsp_ids_free(). This makes atomic operations with `id_refcount' useless.
Also prevent ipsp_ids_lookup() to return dying `ids'.

ok bluhm@


# 1.238 21-Apr-2022 sashan

Introduce a dedicated link entries for snapshots in pfsync(4). The purpose
of snapshots is to allow pfsync(4) to move items from global lists
to local lists (a.k.a. snapshots) under a mutex protection. Snapshots
are then processed without holding any mutexes. Such idea does not fly
well if link entry is currently used for global lists as well as snapshots.
Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing.

OK bluhm@


Revision tags: OPENBSD_7_1_BASE
# 1.237 13-Mar-2022 bluhm

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.240 14-Jul-2022 mvs

Use capital letters for global ipsec(4) locks description. Use 'D'
instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase.

No functional changes.

ok bluhm@


# 1.239 30-Apr-2022 mvs

When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do
`id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list'
list modifications, otherwise concurrent ipsp_ids_insert() could remove
this dying `ids' from the list before if was placed there by
ipsp_ids_free(). This makes atomic operations with `id_refcount' useless.
Also prevent ipsp_ids_lookup() to return dying `ids'.

ok bluhm@


# 1.238 21-Apr-2022 sashan

Introduce a dedicated link entries for snapshots in pfsync(4). The purpose
of snapshots is to allow pfsync(4) to move items from global lists
to local lists (a.k.a. snapshots) under a mutex protection. Snapshots
are then processed without holding any mutexes. Such idea does not fly
well if link entry is currently used for global lists as well as snapshots.
Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing.

OK bluhm@


Revision tags: OPENBSD_7_1_BASE
# 1.237 13-Mar-2022 bluhm

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.239 30-Apr-2022 mvs

When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do
`id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list'
list modifications, otherwise concurrent ipsp_ids_insert() could remove
this dying `ids' from the list before if was placed there by
ipsp_ids_free(). This makes atomic operations with `id_refcount' useless.
Also prevent ipsp_ids_lookup() to return dying `ids'.

ok bluhm@


# 1.238 21-Apr-2022 sashan

Introduce a dedicated link entries for snapshots in pfsync(4). The purpose
of snapshots is to allow pfsync(4) to move items from global lists
to local lists (a.k.a. snapshots) under a mutex protection. Snapshots
are then processed without holding any mutexes. Such idea does not fly
well if link entry is currently used for global lists as well as snapshots.
Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing.

OK bluhm@


Revision tags: OPENBSD_7_1_BASE
# 1.237 13-Mar-2022 bluhm

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.238 21-Apr-2022 sashan

Introduce a dedicated link entries for snapshots in pfsync(4). The purpose
of snapshots is to allow pfsync(4) to move items from global lists
to local lists (a.k.a. snapshots) under a mutex protection. Snapshots
are then processed without holding any mutexes. Such idea does not fly
well if link entry is currently used for global lists as well as snapshots.
Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing.

OK bluhm@


Revision tags: OPENBSD_7_1_BASE
# 1.237 13-Mar-2022 bluhm

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.237 13-Mar-2022 bluhm

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.236 08-Mar-2022 bluhm

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.235 02-Mar-2022 bluhm

Merge two comments describing the locks into one.


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.234 04-Jan-2022 yasuoka

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.233 20-Dec-2021 mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.232 19-Dec-2021 bluhm

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.231 14-Dec-2021 bluhm

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.230 11-Dec-2021 bluhm

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.229 08-Dec-2021 bluhm

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@


# 1.228 07-Dec-2021 bluhm

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.227 03-Dec-2021 tobhe

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.226 01-Dec-2021 bluhm

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.225 01-Dec-2021 bluhm

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@


# 1.224 30-Nov-2021 bluhm

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.223 26-Nov-2021 tobhe

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.222 25-Nov-2021 bluhm

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.221 21-Nov-2021 mvs

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.220 16-Nov-2021 bluhm

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.219 25-Oct-2021 bluhm

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.218 24-Oct-2021 tobhe

Merge esp_input_cb() intp esp_input().

ok bluhm@


# 1.217 24-Oct-2021 bluhm

Remove code duplication by merging the v4 and v6 input functions
for ah, esp, and ipcomp. Move common code into ipsec_protoff()
which finds the offset of the next protocol field in the previous
header.
OK tobhe@


# 1.216 24-Oct-2021 tobhe

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@


# 1.215 24-Oct-2021 tobhe

Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.

ok bluhm@


# 1.214 24-Oct-2021 bluhm

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@


# 1.213 24-Oct-2021 tobhe

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.212 23-Oct-2021 bluhm

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@


# 1.211 23-Oct-2021 tobhe

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.210 13-Oct-2021 bluhm

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@


# 1.209 05-Oct-2021 bluhm

Cleanup the error handling in ipsec ipip_output() and consistently
goto drop instead of return. An ENOBUFS should be EINVAL in IPv6
case. Also use combined packet and byte counter.
OK sthen@ dlg@


# 1.208 05-Oct-2021 bluhm

Move setting ipsec mtu into a function. The NULL and invalid check
in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway. udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.207 29-Sep-2021 bluhm

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@


Revision tags: OPENBSD_7_0_BASE
# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.206 10-Aug-2021 mvs

Remove unused `ipa_pcb' from 'ipsec_acquire' structure.

ok gnezdo@


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.205 27-Jul-2021 mvs

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.204 26-Jul-2021 mvs

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.203 18-Jul-2021 mvs

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@


# 1.202 18-Jul-2021 bluhm

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.201 13-Jul-2021 mvs

Remove unused `PolicyHead' from 'sockaddr_encap' structure.

ok tobhe@


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.200 08-Jul-2021 bluhm

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.199 08-Jul-2021 bluhm

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@


# 1.198 07-Jul-2021 bluhm

Fix whitespaces in IPsec code.


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.197 04-May-2021 mvs

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@


Revision tags: OPENBSD_6_9_BASE
# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.196 05-Nov-2020 phessler

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@


Revision tags: OPENBSD_6_8_BASE
# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.195 01-Sep-2020 gnezdo

Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr

The best-guessed limits will be tested by trial.


Revision tags: OPENBSD_6_7_BASE
# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.194 23-Apr-2020 tobhe

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@


Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.193 28-Aug-2018 mpi

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.192 12-Jul-2018 mpi

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@


# 1.191 11-Jul-2018 mpi

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@


# 1.190 10-Jul-2018 mpi

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@


Revision tags: OPENBSD_6_3_BASE
# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz


# 1.189 20-Nov-2017 mpi

Keep kernel defines under #ifdef _KERNEL.

ok bluhm@


# 1.188 15-Nov-2017 mpi

Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h


# 1.187 14-Nov-2017 mpi

Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@


# 1.186 08-Nov-2017 visa

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@


# 1.185 27-Oct-2017 mpi

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@


# 1.184 16-Oct-2017 mpi

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@


Revision tags: OPENBSD_6_2_BASE
# 1.183 26-Jun-2017 patrick

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@


# 1.182 22-May-2017 bluhm

Move IPsec forward and local policy check functions to ipsec_input.c
and give them better names.
input and OK mikeb@


# 1.181 18-May-2017 bluhm

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@


# 1.180 06-May-2017 bluhm

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@


# 1.179 14-Apr-2017 bluhm

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@


Revision tags: OPENBSD_6_1_BASE
# 1.178 07-Feb-2017 bluhm

Error propagation does neither make sense for ip input path nor for
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@


# 1.177 29-Jan-2017 bluhm

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@


# 1.176 26-Jan-2017 bluhm

Reduce the difference between struct protosw and ip6protosw. The
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@


# 1.175 25-Jan-2017 bluhm

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@


# 1.174 15-Sep-2016 dlg

move from RB macros to RBT functions

shaves a bunch of bytes off kernels


Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
# 1.173 03-Dec-2015 tedu

remove some unused defines. ok mikeb


# 1.172 25-Aug-2015 deraadt

correct #if/#endif guard comment


Revision tags: OPENBSD_5_8_BASE
# 1.171 17-Jul-2015 blambert

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@


# 1.170 23-May-2015 markus

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@


# 1.169 17-Apr-2015 mikeb

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer


# 1.168 17-Apr-2015 mikeb

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer


# 1.167 16-Apr-2015 markus

ipa_inp_next is unused; via mikeb@


# 1.166 16-Apr-2015 markus

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb


# 1.165 14-Apr-2015 mikeb

make ipsp_address thread safe; ok mpi


# 1.164 14-Apr-2015 mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.


# 1.163 13-Apr-2015 mikeb

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi


# 1.162 13-Apr-2015 mikeb

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi


# 1.161 26-Mar-2015 mikeb

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer


Revision tags: OPENBSD_5_7_BASE
# 1.160 19-Jan-2015 deraadt

mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL


# 1.159 19-Jan-2015 deraadt

First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>
under _KERNEL, and adjust the one consumer (netstat) so that it requests
the exposure. Will take a few more rounds to get this right.
ok mikeb


# 1.158 23-Dec-2014 tedu

unifdef some more INET. v4 4life.


# 1.157 25-Nov-2014 mpi

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@


Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
# 1.156 11-Nov-2013 mpi

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@


Revision tags: OPENBSD_5_4_BASE
# 1.155 04-Jul-2013 mpi

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.


# 1.154 11-Apr-2013 mpi

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@


Revision tags: OPENBSD_5_3_BASE
# 1.153 14-Feb-2013 mikeb

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus


# 1.152 18-Oct-2012 markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@


# 1.151 08-Oct-2012 camield

Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to
include sys/mbuf.h in net/pfvar.h.

Flagged by and ok guenther@


# 1.150 20-Sep-2012 blambert

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@


# 1.149 18-Sep-2012 markus

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@


Revision tags: OPENBSD_5_2_BASE
# 1.148 16-Jul-2012 markus

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage


# 1.147 29-Jun-2012 mikeb

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.


Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
# 1.146 06-Oct-2010 mikeb

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.


# 1.145 23-Sep-2010 mikeb

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert


Revision tags: OPENBSD_4_8_BASE
# 1.144 09-Jul-2010 reyk

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@


# 1.143 01-Jul-2010 reyk

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@


# 1.142 11-May-2010 claudio

Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@


# 1.141 07-May-2010 claudio

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning


Revision tags: OPENBSD_4_7_BASE
# 1.140 10-Jan-2010 markus

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt


# 1.139 13-Nov-2009 claudio

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@


Revision tags: OPENBSD_4_6_BASE
# 1.138 02-Jun-2009 blambert

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@


Revision tags: OPENBSD_4_5_BASE
# 1.137 16-Feb-2009 dlg

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@


# 1.136 08-Nov-2008 dlg

fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom

ok deraadt@ otto@


Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
# 1.135 24-Nov-2006 reyk

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@


Revision tags: OPENBSD_4_0_BASE
# 1.134 30-Jun-2006 deraadt

htonq() is not used, at all


# 1.133 27-Apr-2006 tedu

use underscore variants of _BYTE_ORDER macros which are always defined
ok deraadt millert


Revision tags: OPENBSD_3_9_BASE
# 1.132 13-Jan-2006 mpf

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@


# 1.131 24-Nov-2005 pedro

Remove kernfs, okay deraadt@.


Revision tags: OPENBSD_3_8_BASE
# 1.130 28-May-2005 ho

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@


# 1.129 27-May-2005 hshoexer

wrap some comments


Revision tags: OPENBSD_3_7_BASE
# 1.128 19-Nov-2004 hshoexer

Plug memory leak. Found by pat@. Thanks!

ok myself markus@


Revision tags: OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B
# 1.127 14-Apr-2004 markus

simpler ipsp_aux_match() API; ok henning, hshoexer


Revision tags: OPENBSD_3_5_BASE
# 1.126 22-Jan-2004 markus

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@


# 1.125 10-Dec-2003 itojun

de-register. deraadt ok


# 1.124 02-Dec-2003 markus

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@


Revision tags: OPENBSD_3_4_BASE
# 1.123 24-Jul-2003 itojun

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok


Revision tags: UBC_SYNC_A
# 1.122 06-May-2003 deraadt

string cleaning; tedu ok


Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
# 1.121 09-Jun-2002 itojun

whitespace


# 1.120 31-May-2002 angelos

New fields in policy and TDB.


Revision tags: OPENBSD_3_1_BASE
# 1.119 14-Mar-2002 millert

First round of __P removal in sys


Revision tags: OPENBSD_3_0_BASE UBC_BASE
# 1.118 19-Aug-2001 angelos

branches: 1.118.4;
Pass the interface (if any) to ipip_input(), so it can be used in
BPF. Closes PR 2000.


# 1.117 05-Jul-2001 angelos

Style


# 1.116 05-Jul-2001 jjbg

IPComp itself (include files). angelos@ ok.


# 1.115 27-Jun-2001 angelos

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.


# 1.114 27-Jun-2001 angelos

Also link acquire state to the relevant IPsec policy.


# 1.113 27-Jun-2001 angelos

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.


# 1.112 26-Jun-2001 angelos

Use pool(9) for IPsec policy structures.


# 1.111 26-Jun-2001 angelos

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF


# 1.110 26-Jun-2001 angelos

KNF


# 1.109 25-Jun-2001 beck

damn greeks desperate for commits...


# 1.108 25-Jun-2001 angelos

KNF


# 1.107 25-Jun-2001 angelos

Copyright.


# 1.106 24-Jun-2001 mickey

use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok


# 1.105 24-Jun-2001 provos

path mtu discovery for ipsec. on receiving a need fragment icmp match
against active tdb and store the ipsec header size corrected mtu


# 1.104 24-Jun-2001 provos

remove whitespace


# 1.103 08-Jun-2001 angelos

IPSP_POLICY_STATIC flag.


# 1.102 07-Jun-2001 angelos

Simplify SPD logic (and correct some input cases).


# 1.101 01-Jun-2001 angelos

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.


# 1.100 01-Jun-2001 angelos

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.


# 1.99 31-May-2001 angelos

Structure for NIC IPsec processing status reports.


# 1.98 30-May-2001 angelos

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs


# 1.97 30-May-2001 angelos

Forgot to update ipsec_output_done()


# 1.96 30-May-2001 angelos

With the tags, we don't need to abuse the IPsec API to do socket keying.


# 1.95 30-May-2001 angelos

Keep track of remote authentication material (like public key) as well.


# 1.94 30-May-2001 angelos

Fields to store local auth information in policy and TDB.


# 1.93 29-May-2001 angelos

Fields on TDB for last used and last SKIPCRYPTO status change.


# 1.92 29-May-2001 angelos

Add ipsp_skipcrypto_{mark,unmark}()


# 1.91 27-May-2001 angelos

Remove ipsp_copy_ident() prototype.


# 1.90 27-May-2001 angelos

Change prototype of ipsp_common_input_cb() to also accept a packet tag
as the last argument.


# 1.89 21-May-2001 angelos

SKIPCRYPTO flag


# 1.88 21-May-2001 angelos

Cosmetic.


# 1.87 21-May-2001 angelos

Use int16_t for the type and length of ipsec_ref objects.


# 1.86 21-May-2001 angelos

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@


# 1.85 05-May-2001 angelos

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.


# 1.84 01-May-2001 fgsch

Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE
option is used. Note that this does not work.


Revision tags: OPENBSD_2_9_BASE
# 1.83 14-Apr-2001 angelos

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@


# 1.82 28-Mar-2001 angelos

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.


# 1.81 27-Mar-2001 art

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.


# 1.80 15-Mar-2001 mickey

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok


# 1.79 04-Mar-2001 angelos

Store peer's credentials in TDB.


# 1.78 28-Feb-2001 angelos

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.


# 1.77 12-Feb-2001 deraadt

putting #error into an include file is totally wrong


# 1.76 11-Feb-2001 fgsch

If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok


# 1.75 24-Dec-2000 angelos

Extra argument in the function to tdb_walk(), indicating last TDB.


Revision tags: OPENBSD_2_8_BASE
# 1.74 14-Oct-2000 angelos

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.


# 1.73 09-Oct-2000 angelos

AES support.


# 1.72 20-Sep-2000 angelos

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).


# 1.71 19-Sep-2000 angelos

SA bundles.


# 1.70 19-Sep-2000 angelos

Lots and lots of changes.


# 1.69 18-Jun-2000 angelos

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()


# 1.68 18-Jun-2000 itojun

IPv6 AH/ESP support, inbound side only. tested with KAME.


# 1.67 06-Jun-2000 angelos

Get rid of tdb_ref, keep indirect pointer to TDB.


# 1.66 01-Jun-2000 angelos

ipsp_acquire_sa()


# 1.65 01-Jun-2000 angelos

Prototype for ipsp_spd_lookup()


Revision tags: OPENBSD_2_7_BASE
# 1.64 19-Apr-2000 angelos

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.


# 1.63 29-Mar-2000 angelos

Conform to crypto framework changes for IVs.


# 1.62 17-Mar-2000 angelos

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.


# 1.61 28-Feb-2000 deraadt

move crypto code


Revision tags: SMP_BASE
# 1.60 27-Jan-2000 angelos

branches: 1.60.2;
Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).


# 1.59 21-Jan-2000 angelos

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.


# 1.58 13-Jan-2000 angelos

mbuf **, not mbuf * you twit...


# 1.57 13-Jan-2000 angelos

Add an ip4_input6() for use with IPv6 (just a wrapper for
ip4_input()), add prototype, ifdef include files.


# 1.56 13-Jan-2000 angelos

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)


# 1.55 10-Jan-2000 angelos

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.


# 1.54 10-Jan-2000 angelos

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).


# 1.53 09-Jan-2000 angelos

externalize ipsec_acl


# 1.52 29-Dec-1999 mickey

fix _input/_output proto changes for tcp_signature; angelos@ ok


# 1.51 25-Dec-1999 angelos

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.


# 1.50 08-Dec-1999 angelos

Fix debugging printf compilation.


Revision tags: kame_19991208
# 1.49 08-Dec-1999 angelos

IPv6 header handling, improve IPv4 option handling support.


# 1.48 06-Dec-1999 angelos

New ESP code that's v4 and v6 friendly.


# 1.47 04-Dec-1999 angelos

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.


# 1.46 29-Oct-1999 angelos

New field in tdb, to be used with bridging.


# 1.45 29-Oct-1999 angelos

Get rid of unnecessary third argument in *_output routines of IPsec.


# 1.44 29-Oct-1999 angelos

Remove unnecessary argument from ipe4_output() and etherip_output()


# 1.43 28-Oct-1999 angelos

Add Ethernet-IP encapsulation handling.


Revision tags: OPENBSD_2_6_BASE
# 1.42 29-Sep-1999 niklas

Critical reliability fix for IPsec. On i386 splsoftclock is not
a perfect emulation of a "real" architecture's splsoftclock, as it
assumes it is only invoked from higher spl levels. Use splsoftnet instead.


# 1.41 10-Aug-1999 ho

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb


# 1.40 05-Aug-1999 ho

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.


# 1.39 15-Jul-1999 niklas

From angelos@, edits by me, demand keying for PF_KEY


# 1.38 06-Jul-1999 cmetz

Added support for TCP MD5 option (RFC 2385).


# 1.37 30-Jun-1999 deraadt

remove final low-level crypto knowledge from base ipsec code


# 1.36 18-Jun-1999 deraadt

split out transforms; some debugging done but there may still be bugs in
the new key init/zero functions


# 1.35 06-Jun-1999 angelos

Ident.


# 1.34 23-May-1999 niklas

SA hash table resizing


# 1.33 20-May-1999 niklas

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.


# 1.32 16-May-1999 niklas

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.


# 1.31 14-May-1999 niklas

A new scalable IPsec SA expiration model.


# 1.30 11-May-1999 niklas

Remove cruft that wasted space en masse in the IPsec subsystem


Revision tags: OPENBSD_2_5_BASE
# 1.29 11-Apr-1999 niklas

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.


# 1.28 27-Mar-1999 provos

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.


# 1.27 25-Feb-1999 angelos

Move union sockaddr_union to ip_ipsp.h


# 1.26 24-Feb-1999 angelos

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.


# 1.25 24-Feb-1999 deraadt

add skipjack support back


# 1.24 24-Feb-1999 angelos

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.


# 1.23 17-Feb-1999 deraadt

ipsec skipjack, based on free .fi code (some .gov type will test this for me)


# 1.22 17-Feb-1999 deraadt

indent


# 1.21 08-Jan-1999 deraadt

do not use random bits when not necessary, remove 8-byte block dependence


# 1.20 25-Nov-1998 niklas

typo in comment


Revision tags: OPENBSD_2_4_BASE
# 1.19 18-May-1998 provos

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.


Revision tags: OPENBSD_2_3_BASE
# 1.18 18-Mar-1998 provos

adapt function arguments to get the expected prototype.


# 1.17 18-Mar-1998 provos

Fix tunnel mode input processing (use ip4_input instead of ipe4_input),
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.


# 1.16 24-Nov-1997 provos

add ripemd-160 as authentication function.


# 1.15 04-Nov-1997 provos

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.


Revision tags: OPENBSD_2_2_BASE
# 1.14 27-Jul-1997 niklas

expiration messages, fixes, updates, all sorts of things


# 1.13 15-Jul-1997 provos

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix


# 1.12 14-Jul-1997 provos

sysctl...


# 1.11 11-Jul-1997 provos

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.


# 1.10 02-Jul-1997 provos

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.


# 1.9 01-Jul-1997 provos

major restructuring


# 1.8 25-Jun-1997 provos

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI


# 1.7 24-Jun-1997 provos

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes


# 1.6 21-Jun-1997 deraadt

u_int32_t changes, need testing


# 1.5 20-Jun-1997 provos

ah-sha1 + esp-3des + indentation


Revision tags: OPENBSD_2_1_BASE
# 1.4 28-Feb-1997 angelos

Added flags field in the TDB structure.


# 1.3 24-Feb-1997 niklas

OpenBSD tags + some prototyping police


# 1.2 21-Feb-1997 niklas

-nostdinc and big endian cleanup


# 1.1 20-Feb-1997 deraadt

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz