IPsec packets could be dropped unaccounted if output after crypto
failed. Add a counter for that case.
OK dhill@

Reduce the per-packet allocation costs for crypto operations (cryptop)
by pre-allocating two cryptodesc objects and storing them in an array
instead of a linked list. If more than two cryptodesc obj

Reduce the per-packet allocation costs for crypto operations (cryptop)
by pre-allocating two cryptodesc objects and storing them in an array
instead of a linked list. If more than two cryptodesc objects are
required use mallocarray to fetch them. Adapt the drivers to the new
API.

This change results in one pool-get per ESP packet instead of three.
It also simplifies softraid crypto where more cryptodesc objects are
allocated than used.

From, with and ok markus@, ok bluhm@
"looks sane" mpi@

show more ...

The return code of crp_callback is never checked, so it is not
useful to propagate the error. When an error occurs in an asynchronous
network path, incrementing a counter is the right thing. There

The return code of crp_callback is never checked, so it is not
useful to propagate the error. When an error occurs in an asynchronous
network path, incrementing a counter is the right thing. There are
four places where an error is not accounted, just add a comment for
now.
OK mpi@ visa@

show more ...

Grab the NET_LOCK() in various callbacks.

Fix an assert reported by Hrvoje Popovski.

ok visa@, mikeb@

Grab the NET_LOCK() before calling ipsp_process_done() as it ends up
in ip_output().

Found the hardway by and ok kettenis@

convert bcopy to memcpy. from david hill.

avoid extensive mbuf allocation for IPsec by replacing m_inject(4)
with m_makespace(4) from freebsd; ok mpi@, bluhm@, mikeb@, dlg@

fix panics caused by replacing m_copym2 with m_dup_pkt.

m_copym2 is fine duplicating an arbitrary chain of mbufs, while
m_dup_pkt wants to dup a packet with proper headers in the first
mbuf. ipsec c

fix panics caused by replacing m_copym2 with m_dup_pkt.

m_copym2 is fine duplicating an arbitrary chain of mbufs, while
m_dup_pkt wants to dup a packet with proper headers in the first
mbuf. ipsec copied the tail of an mbuf if any of the clusters are
shared or readonly, and swapped that tail with the result of m_copym2.

m_dup_pkt panics cos of that.

this makes ipsec duplicate the whole packet if any of the chain is
readonly.

found by naddy@ and mlarkin@
this fix is from visa@ who told me to commit it cos he's afk (sleeping)
tested by naddy@

show more ...

replace the last uses of m_copym2 with m_dup_pkt.

ok mpi@ visa@

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and q

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

show more ...

Plumb Chacha20-Poly1305 into the IPsec/ESP and PF_KEY frameworks

ok naddy

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

No need for an extra local variable; no functional change.

Use proper argument type for crp_callback functions; no functional change.

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer

make ipsp_address thread safe; ok mpi

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

bpf code surgery / shuffling / simplification.
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_c

bpf code surgery / shuffling / simplification.
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_catchpacket.
use an internal _bpf_mtap as "backend" for bpf_mtap and friends.
extend bpf_mtap_hdr so that it covers all common cases:
if dlen is 0, nothing gets prepended.
copy function can be given, if NULL the default bpf_mcopy is used.
adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn.
re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr.
re-implement bpf_mtap_ether using bpf_map_hdr
re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper
ok bluhm benno

show more ...

bzero/bcmp -> memset/memcmp. ok matthew

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objectio

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

show more ...