add a public domain notice

(drochner)

fix memory allocation, and an off-by-one

(drochner)

play the addref/delref game on suspend, prevents crash if the disk/CF Card
is eg. in a PCMCIA adapter and not mounted

(drochner)

-recognize CF cards by the magic value in inquiry data
-kill CFG_ATAPI_MASK, didn't see anything in the specs supporting
that it exists

(drochner)

Use the MI "pcu" framework for bookkeeping of npx/fpu states on x86.
This reduces the amount of MD code enormously, and makes it easier
to implement support for newer CPU features which require more fpu
state, or for fpu usage by the kernel.
For access to FPU state across CPUs, an xcall kthread is used now
rather than a dedicated IPI.
No user visible changes intended.

(drochner)

tyop in comment, from Eivind Evensen via OpenBSD

(drochner)

add a patch from upstream, fixing a regression which obstructed link
status detection on BSD virtual interfaces (observed with xennet)

(drochner)

-extend the pcu(9) API by a function which saves all context on the
current CPU, and use it if a CPU is taken offline
-add a bool argument to pcu_discard which tells whether the internal
"LWP has used the coprocessor" flag should be set or reset. The flag
is reported by pcu_used_p(). If set, future accesses should use the
state stored in the PCB. If reset, it should be reset to default.
The former case is useful for setmcontext().
With that, it should not be necessary anymore to manage the "FPU used"
state by an additional MD variable.

approved by matt

(drochner)

pass HOST_SH to the build, to keep it from picking up a "bash"
from $PATH

(drochner)

remove some files which will be regenerated during build, avoids
writes into $BSDSRCDIR

(drochner)

add to CLEANFILES at some places, for generated files

(drochner)

add feature flag definitions for the last round of Intel instruction
set extensions (AVX512 et al.)

(drochner)

In unp_externalize, don't do anything if an SCM_RIGHTS control message
was sent with zero file descriptors in it. Otherwise, a zero-length
temporary storage would be allocated which triggers panic on DIAGNOSTIC
kernels (but is harmless for release kernels).
reviewed by Taylor R Campbell

(drochner)

collect common rules in the shared Makefile, this propagates the .OBJDIR
fix done for i386 last year to all other ports

(drochner)

allow to enable ffs "discard" by update mounts, make the flag visible
to userland

(drochner)

pull in upstream rev. 191413 to fix integer overflow in objalloc_alloc
(CVE-2012-3509)

(drochner)

mention "discard" (ATA "TRIM") support

(drochner)

Implement experimental support to pass notifications that a file
was deleted from the filesystem to the disk driver, commonly
known as "discard" or "trim".
fs/driver support is in ffs and ata wd for now.
This is what was posted here:
http://mail-index.netbsd.org/tech-kern/2012/02/28/msg012813.html
with minor cleanup, and the global switch replaced by a mount option.

(drochner)

avoid dummy structure definition, include a system header instead,
looks just cleaner

(drochner)

put binary compatibility support for the old AMD-only CPU microcode
update API inside COMPAT_60

(drochner)

defopt COMPAT_60, it is already being used

(drochner)

recognize the P1GB and RDTSCP which were AMD-only on Intel HW too

(drochner)

fix trivial typo in warning msg

(drochner)

Align the stack to a 16-byte boundary on LWP creation.
This is more than required by the ABI, but it makes programs using SSE
in a thread work without extra compiler flags or performance hit.

(drochner)

fix for archs w/o cpu ucode driver: add dummy definition

(drochner)

Add "consttime_bcmp" and "explicit_bzero" functions for both kernel
abd userland, as proposed on tech-security, with explicit_bzero using
a volatile function pointer as suggested by Alan Barrett.
Both do what the name says. For userland, both are prefixed by "__"
to keep them out of the user namespace.
Change some memset/memcmp uses to the new functions where it makes
sense -- these are just some examples, more to come.

(drochner)

g/c unused struct member

(drochner)

Extend the CPU microcode update framework to support Intel x86 CPUs.
Contrary to the AMD implementation, it doesn't use xcalls to distribute
the update to all CPUs but relies on cpuctl(8) to bind itself to the
right CPU -- to keep it simple and avoid possible problems with
hyperthreading.
Also, it doesn't parse the vendor supplied file to pick the right
part for the present CPU model but relies on userland to prepare
files with specific filenames. I'll commit a pkg for this in a minute
(pkgsrc/sysutils/intel-microcode).
The ioctl interface changed; compatibility is provided (should be
limited to COMPAT_NETBSD6 as soon as this is available).

(drochner)

Another contribution to PR kern/42225 which will hopefully
bring the story to an end:

Always ignore the residue from the CSW, just use the real
transfer length counted by the USB stack. This was first
proposed by Markus Kilbinger but unfortunately ignored
later. (Too many cooks...)
According to Matthias Kretschmer, Darwin and Haiku do
the same.

Remove the "UMASS_QUIRK_IGNORE_RESIDUE" quirk which was
just for the one "SuperTop" device mentioned in the PR.
This device was successfully tested by Matthias Kretschmer /
Ignatios Souvatzis.

I've tested the patch with various other devices and
didn't find regressions.

(drochner)

the address expire counter is just a time difference; it can turn
negative after the timer expired until the entry is deleted.
make it signed, so that we don't get output like
"00:1b:78:12:50:46 wm0 18446744073709551349 flags=0<>"

(drochner)

fix some signatures

(drochner)

For devices which don't claim SPC-3, don't request 32 bytes of sense
data but just 18. Some devices signal an error if the transfer length
is not exactly what the device expects, and it is hard to deal with
these errors afterwards.
This makes a number of USB memory sticks and SD card readers work
which were not usable before.

(drochner)

return errno if pthread_create hits the system limit, not just -1
(this is not entirely correct because it can return ENOMEM which is
not mentioned in the spec, but there are other places in pthread_create
whete ENOMEM is returned -- it at all, this should be fixed everywhere)

(drochner)

mention switch to FAST_IPSEC in January

(drochner)

on x86, <machine/cpufunc.h> only pulls in <x86/cpufunc.h>. The latter
is not installed to userland and noone missed it, so the former ones
can not be useful either. Don't install them.

(drochner)

build fix for gcc -fno-common, from Radoslaw Kujawa

(drochner)

gcc -fno-common fallout

(drochner)

lua is at 5.2.1 upstream

(drochner)

mention new upstream OpenPAM release

(drochner)

regen

(drochner)

fix pci id for the Intel H61 LPC bridge to fit actual hardware (and
the chipset's documentation), and add some PCI-to-legacy bridges
found on recent boards

(drochner)

stopgap fix for recursive locking on suspend/resume
(This can be simplified imo because interrupts should be disabled
at this point.)

(drochner)

pull in upstream rev.22547:
Sanity check record length before skipping explicit IV in TLS 1.2, 1.1
and DTLS to fix DoS attack.
(CVE-2012-2333)

(drochner)

minor mostly cosmetical fixes: use designated type for device major
numbers, typo in comment, misuse of minor()
(the latter one is not cosmetical, but would only affect systems
with more than 256 disk wedges)

(drochner)

fix access permission check which got broken by some kauth rework
in March, affected mostly systems with NFS root fs

(drochner)

fix for previous fix: correct error code (upstream rev.22474)

(drochner)

print correct link speed for PCIexpress Gen2+
(the decoding code needs to be rewritten, sorry for only adding to
the mess)

(drochner)

everywhere else it is assumed that the filesystem block size fits into
a 32-bit "int" -- do the cast to quell a compiler warning in a more
sensible way

(drochner)

pull in upstream SVN rev. 22439:
check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean. (CVE-2012-2110)

(drochner)

reorder initialization to improve error handling in case the system
runs out of file descriptors, avoids LOCKDEBUG panic due to double
mutex initialization

(drochner)

obsolete kame_ipsec(4)

(drochner)

remove KAME IPSEC, replaced by FAST_IPSEC

(drochner)

don't reuse a dynamically allocated stack if a fixed one is requested

(drochner)

fix a path

(drochner)

-fix initial stacksize rounding
-minor indentation fix

(drochner)

apply upstream rev.22146: Tolerate bad MIME headers in parser.
avoids possible NULL dereference (CVE-2006-7248)

(drochner)

add "Location" tags which tell where the source lives in the NetBSD
tree, and fix some paths in "Notes" sections

(drochner)

remove stale entries: libcdk was removed 5 years ago, termcap.src between
netbsd-5 and netbsd-6

(drochner)

mention esp-udp

(drochner)

split device_t/softc

(drochner)

fix for IPSEC tunnel + NAT-T + esp_frag:
Output packets larger than "esp_frag" are fragmented first
and then reinjected into ip_output for encapsulation
and transfer. The problem was that each packet got a new
ip_id value assigned, so that fragments couldn't be matched
by the receiver. Offset information was overwritten too.
approved by releng

(drochner)

fix incomplete device_t/softc split which led to crash on attachment,
closes PR kern/45874 by Hauke Fath
approved by releng

(drochner)

add  patch from Redhat bug#784141 which fixes a possible
buffer overflow if used with an HTTP proxy (CVE-2012-0804)
approved by releng

(drochner)

align allocations >=pagesize at a page boundary, to preserve traditional
malloc(9) semantics
fixes dri mappings shared per mmap (at least on i945)
approved by releng

(drochner)

fill in timestamps in outgoing data buffers

(drochner)

delete virtual screens on detach - this allows to hot-unplug
a udl@usb monitor without crash

(drochner)

tell the compiler that the i387 runs in double-rounding mode, so it
doesn't need to issue memory store-read sequences to kill excess
precision. makes code smaller and faster, depending on optimization
flags
(as tests on Linux have shown, the compiler doesn't even succeed in
avoiding excess precision)

(drochner)

Use pci_aprint_devinfo(9) instead of pci_devinfo+aprint_{normal,naive}
where it looks straightforward, and pci_aprint_devinfo_fancy in a few
others where drivers want to supply their own device names instead
of the pcidevs generated one. More complicated cases, where names
are composed at runtime, are left alone for now. It certainly makes
sense to simplify the drivers here rather than inventing a catch-all API.
This should serve as as example for new drivers, and also ensure
consistent output in the AB_QUIET ("boot -q") case. Also, it avoids
excessive stack usage where drivers attach child devices because the
buffer for the device name is not kept on the local stack anymore.

(drochner)

document pci_aprint_devinfo(9) (not the _fancy variant yet because
it is still experimental)

(drochner)

remove incomplete conversion to kmem_alloc -- inconsistent use
leads at least to diagnostic panics

(drochner)

don't mess with the PDP pool cache before it is initialized,
prevents at least LOCKDEBUG panics

(drochner)

extend the pci_aprint_devinfo slightly to cover the cases commonly
used by drivers: a short name for the quiet/naive case and a string
to override the "pcidevs" based name by one provided by the driver,
ride on yesterday's kernel minor version bump

(drochner)

put printing of the pci_devinfo into its own function (not inlined
by purpose) - this is a stack hog, and with this change my uTCA amd64
system boots again
a lot of similar code can be eliminated from pci device drivers this way,
but before doing so (and making the new function part of the module API)
I'd like to consider a modification to make it work with drivers which
prefer to print names from other sources (like pciide)

(drochner)

also mention the aes-gcm ESP variants

(drochner)

remove some DPRINTFs which are not just diagnostics but cause noise
even on regular operation

(drochner)

After IPSEC input processing, pass a decoded/authenticated IPv4 packet
to upper layers through the IP protosw, as done for IPv6.
Before it was reinjected into the IP netisr queue which caused more
overhead and caused artefacts like double IP option processing.
Works well for me, should get more testing and review.

(drochner)

Make sure the mbufs in the input path (only the parts which we are going
to modify in the AH case) are writable/non-shared.
This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient
patch from that time by a radical solution.
(The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c,
so it needs a network driver modification to reproduce it.)
Being here, clarify a bit of ipcomp -- uncompression is done in-place,
the header must be removed explicitly.

(drochner)

fix pointer/offset mistakes in handling of IPv4 options

(drochner)

let one bit more through to SSE, to make FP_X_IMP work

(drochner)

also remove unnecessary "needs-flag" for firmload, from Paul Goyette

(drochner)

revert previous, the assumption "all buses 1 and up must be subordinate
to pci0" doesn't even hold on i386 -- there are server-class chipsets
with multiple primary PCI buses, see arch/x86/pci/pchb.c for examples

(drochner)

get the logics straight: CPU_UCODE requires "firmload" as a dependency

(drochner)

pull in rev.22050 from upstream CVS, following secadv_20120118.txt:
Fix for DTLS DoS issue introduced by fix for CVE-2011-4108 (CVE-2012-0050)

(drochner)

move kame_ipsec.4 almost completely into ipsec.4 because it is valid
for fast_ipsec as well

(drochner)

fix build in the (FAST_)IPSEC & TCP_SIGNATURE case

(drochner)

protect "union sockaddr_union" from being defined twice by a CPP symbol
(copied from FreeBSD), allows coexistence of (FAST_)IPSEC and pf

(drochner)

remove conditionals which can't succeed, and also shouldn't because
one would get a kernel NULL dereference immediately

(drochner)

add patch from Arnaud Degroote to handle IPv6 extended options with
(FAST_)IPSEC, tested lightly with a DSTOPTS header consisting
of PAD1

(drochner)

fix confusing references, from wiz

(drochner)

allow the ESP fragment length in the NAT-T case to be reported back
through the pfkey interface, kernel part of PR kern/44952
by Wolfgang Stukenbrock

(drochner)

allow setkey(8) set and display the ESP fragment size in the NAT-T case,
userland part of PR kern/44952 by Wolfgang Stukenbrock, just changed
the "frag" option name to "esp_frag", for consistency to the existing
option of similar effect in racoon(8)

(drochner)

Make FAST_IPSEC the default IPSEC implementation which is built
into the kernel if the "IPSEC" kernel option is given.
The old implementation is still available as KAME_IPSEC.
Do some minimal manpage adjustment -- kame_ipsec(4) is a copy
of the old ipsec(4) and the latter is now a copy of fast_ipsec(4).

(drochner)

split the ipsec.c source file into the pfkey part which is shared
with FAST_IPSEC and KAME specific IPSEC statistics

(drochner)

more IPSEC header cleanup: don't install unneeded headers to userland,
and remove some differences berween KAME and FAST_IPSEC

(drochner)

kill ipsec support which hasn't been working for a long time
(neither for KAME nor for FAST_IPSEC)

(drochner)

pull in from FreeBSD rev.1.41: Narrow the use of user credentials.
(call pam_get_authtok() with caller's rights rather than user's)

(drochner)

also pull in patches for older security problems (secadv_20110906.txt):
-rev.21358 for CRL verification vulnerability in OpenSSL (CVE-2011-3207)
-rev.21336 for TLS ephemeral ECDH crashes in OpenSSL (CVE-2011-3210)

(drochner)

pull in some patches from upstream CVS, following secadv_20120104.txt:
-rev.21964 for DTLS Plaintext Recovery Attack (CVE-2011-4108)
-rev.21961 for Uninitialized SSL 3.0 Padding (CVE-2011-4576)
-rev.21456+21954 for Malformed RFC 3779 Data Can Cause Assertion Failures
(CVE-2011-4577)
(rev.21456 is not mentioned in the advisory, but there is code overlap)
-rev.21958 for SGC Restart DoS Attack (CVE-2011-4619)
-rev.21956 for Invalid GOST parameters DoS Attack (CVE-2012-0027)

(drochner)

-make digital mode work in non-interactive mode (init sighandler
earlier, sleep(3) until playing finished)
-also switch to digital mode if an audio device is given on the
cmd line, or the (new) "CDPLAY_DIGITAL" env var is set

(The latter can be used to make digital mode default per system.
As I see it, analog mode is not dead yet - two of three external
DVD drives I looked at have a speaker output.)

(drochner)

kill unnecessary srandom() call which crept in in rev. 1.33

(drochner)

include <netipsec/ipsec.h> rather than <netinet6/ipsec.h> from userland
where possible, for consistency and compatibility to FreeBSD
(exception: KAME specific statistics gathering in netstat(1) and systat(1))

(drochner)

-consistently use "char *" for the compiled policy buffer in the
ipsec_*_policy() functions, as it was documented and used by clients
-remove "ipsec_policy_t" which was undocumented and only present
in the KAME version of the ipsec.h header
-misc cleanup of historical artefacts, and to remove unnecessary
differences between KAME ans FAST_IPSEC

(drochner)

allow kernels w/o COMPAT_50 to build

(drochner)

note new OpenPAM release

(drochner)

do missing ipsec->kame_ipsec renames

(drochner)

rename the IPSEC in-kernel CPP variable and config(8) option to
KAME_IPSEC, and make IPSEC define it so that existing kernel
config files work as before
Now the default can be easily be changed to FAST_IPSEC just by
setting the IPSEC alias to FAST_IPSEC.

(drochner)

as in netkey/key.c, just use cprng_fast() to get a random number
(which is used to choose an SPI), kill the dummy seeding code

(drochner)

make this build with RND_DEBUG

(drochner)

support ECDSA keys used by recent ssh

(drochner)

disallow empty passphrases per default, and implement the "nullok"
option to allow it if the administator wishes, from FreeBSD

(drochner)

-remove remainders of the misguided changes in revs 1.5-1.9
-iron out more unnecessary differences to FreeBSD

(drochner)

sys/pcq.h isn't installed to userland, so only include it ifdef _KERNEL,
fixes glitch in kdump build

(drochner)

remove the option to build this against openssl - this hasn't been used
in the NetBSD build
since the libc version of MD5Final zeroes out the context, replace
the bzero introduced in the previous commit by comments telling that

(drochner)

zero out hash context after use, to avoid traces in RAM
(hint from "Solar Designer")

(drochner)

fix minor typo

(drochner)

make "rs" static -- this name is too unspecific for the global namespace

(drochner)

add missing rnd_extract->cprng_fast conversion, fixes build of
FAST_IPSEC kernels

(drochner)

stopgap fix to avoid panic due to recursive locking if the keyboard beep
is activated through a tty (which it usually is)
IMO it was no good idea to abuse tty_lock here - it is already
problematic in the tty subsystem

(drochner)

Don't allow '/' characters in the "service" argument to pam_start()
The "service" is blindly appended to config directories ("/etc/pam.d/"),
and if a user can control the "service" it can get PAM to read config
files from any location.
This is not a problem with most software because the "service" is
usually a constant string. The check protects 3rd party software
from being abused.
(CVE-2011-4122)

(drochner)

remove duplicated #defines (in a usually unused part of the code)

(drochner)

for the *xattr() calls, return ENOTSUP rather than EOPNOTSUPP if
the filesystem doesn't support extended attributes -- this is how
it is documented in Linux manpages
(on Linux itself, ENOTSUP and EOPNOTSUPP are the same value)
approved by Emmanuel Dreyfus

(drochner)

remove some bloat:
-cardbus doesn't use multiple interrupt lines like PCI, and it doesn't
use machanisms like interrupt line register and swizzling -- no need
to carry around dummy information, this is all dealt with by the
bridge
(I'm asking myself how "rbus_ppb" can work -- a bridge attached to
cardbus just can't work like a normal PCI bridge as far as interrupts
are concerned. I thing that should be a hardware specific driver
because behavior is not covered by a standard.)
-cardbus always uses 3.3V -- no need for a variable to keep track
of the voltage

(drochner)

add an experimental implementation of PCI MSIs (Message Signaled
Interrupts). Successfully tested with hdaudio and "wpi" wireless
ethernet.
notes:
-There seem to be buggy chips around which announce MSI support
but don't correctly implement it. Thus the final word whether MSIs
can be used should be by the driver.
-Only a single vector is supported. For multiple vectors, the IDT
allocation code would have to be changed. (And we would possibly
run into problems due to the limited number of vectors supported
by the current code.)
-The code is "#if NIOAPIC > 0" because it uses the ioapic_edge
interrupt stubs. These actually don't touch any ioapic, so this
is somewhat a misnomer.
-MSIs can't be identified by a "pin" but only by a cpu/vector
pair. Common intr code soesn't deal well with this yet.
-Drivers need to take care of saving/restoring MSI data in the device's
config space on suspend/resume.

(drochner)

if checking whether an interrupt is shared, don't compare pin numbers
if it is "-1" -- this is a hack to allow MSIs which don't have a concept
of pin numbers, and are generally not shared
(This doesn't give us sensible event names for statistics display. The
whole abstraction has more exceptions than regular cases, it should
be redesigned imho.)

(drochner)

modify parsing of device names so that it can deal with names which
have numbers is it, eg "i915drm*"

(drochner)

let gcc-4.5 use dl_iterate_phdr (which has been present for a while)
for exception handling rather than register_frame_info -- this is
what other OSes are doing, and what is supposedly more efficient.
committed generated files for i386 only

(drochner)

regen after *setxattr constification

(drochner)

make the data arguments of *setxattr(2) const, as in Linux
(is this an official NetBSD API or should it be COMPAT_LINUX only?)

(drochner)

back out previous - this should be unnecessary on NetBSD due to
the extra validation introduced in rev.1.42 (and pulled up to netbsd-5)

(drochner)

clear the packet filter's scratch memory before running the filter
program, otherwise kernel memory can be leaked, from Guy Harris
per PR kern/45142

(drochner)

minor printf format fixes

(drochner)

remove SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION -- openssl uses
another mechanism now, and these remainders break renogotiation with
(at least) tor and postgres

(drochner)

ignore error of "rmdir", to let "make clean" succeed in an already
clean directory

(drochner)

update mpfr to PL4 (minor fixes)

(drochner)

cleanup:
-fix for OBJDIR
-link mpfr against gmp, and mpc against gmp+mpfr
-clean up generated files

(drochner)

catch a case where an ip6 address with scope embedded was compared with
one without -- interestingly this didn't break the connection but just
caused a useless encapsulation
(this code needs to be rearranged to get it clean)

(drochner)

more "const"

(drochner)

use 64-bit integers for GF128 multiplication on LP64 CPUs

(drochner)

-if an opencrypto(9) session is allocated, the driver is refcounted
and can not disappear -- no need to hold crypto_mtx to check the
driver list
(the whole check is questionable)
-crp->crp_cv (the condition variable) is used by userland cryptodev
exclusively -- move its initialization there, no need to waste
cycles of in-kernel callers
-add a comment which members of "struct cryptop" are used
by opencrypto(9) and which by crypto(4)
(this should be split, no need to waste memory for in-kernel callers)

(drochner)

add support for the interesting parts of ISO-2 and KOI8-R fonts
to the vga(4) driver

(drochner)

reduce typecasts and byte swapping

(drochner)

use a simple counter as IV for AES-GMAC as suggested in RFC4543

(drochner)

fix tunnel encapsulation in ipsec6_process_packet() -- it is not
completely clean yet, but at least a v6-in-v6 tunnel works now

(drochner)

reindent ipsec6_process_packet() - whitespace changes only

(drochner)

make sure the infinity returned by HUGE_VALL has the "implicit"
bit set, otherwise it is invalid
This code is unlikely to be hit because gcc (and clang) use
their builtins for these special values.

(drochner)

make this work again after routing socket alignment changes

(drochner)

remove a limitation that inner and outer IP version must be equal
for an ESP tunnel, and add some fixes which make v4-in-v6 work
(v6 as inner protocol isn't ready, even v6-in-v6 can never have worked)

being here, fix a statistics counter and kill an unused variable

(drochner)

replace questionable pointer games which could cause reads of
uninitialized memory, from Wolfgang Stukenbrock per PR bin/44951

(drochner)

add a line "image_generator gs" to the DESC file as the original
build framework does, lets "groff -Thtml" at least start
(it seems that ghostscript is not needed at least for simple documents)

(drochner)

remember the data toggle bit per (bulk) endpoint rather than per
pipe, as required by the spec
This helps in cases where pipes are opened/closed without reconfiguring
the device in between, eg with the ugen driver.
only for UHCI/EHCI, don't have an OHCI to test

(drochner)

add Upper Volta (Burkina Faso)
(got a nigeria-style spam mail with a phone number and was curious
where it came from)

(drochner)

allow testing of GCM/GMAC code from userland

(drochner)

make the "tags" target non-.PHONY because it reflects a real file,
and remove some nonsense in libc Makefile which caused that
a "tags" file was written in my source tree

(drochner)

pull in AES-GCM/GMAC support from OpenBSD
This is still somewhat experimental. Tested between 2 similar boxes
so far. There is much potential for performance improvement. For now,
I've changed the gmac code to accept any data alignment, as the "char *"
pointer suggests. As the code is practically used, 32-bit alignment
can be assumed, at the cost of data copies. I don't know whether
bytewise access or copies are worse performance-wise. For efficient
implementations using SSE2 instructions on x86, even stricter
alignment requirements might arise.

(drochner)

fix building of a linked list if multiple algorithms are requested
in a session -- this just didn't work

(drochner)

catch some corner cases of user input

(drochner)

copy AES-XCBC-MAC support from KAME IPSEC to FAST_IPSEC
For this to fit, an API change in cryptosoft was adopted from OpenBSD
(addition of a "Setkey" method to hashes) which was done for GCM/GMAC
support there, so it might be useful in the future anyway.
tested against KAME IPSEC
AFAICT, FAST_IPSEC now supports as much as KAME.

(drochner)

move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore

(drochner)

Change the way the IV is generated for AES-CTR: use a simple counter
instead of arc4random(). AES-CTR is sensitive against IV recurrence
(with the same key / nonce), and a random number doesn't give that
guarantee.
This needs a little API change in cryptosoft -- I've suggested it to
Open/FreeBSD, might change it depending on feedback.
Thanks to Steven Bellovin for hints.

(drochner)

update draft-ipsec-* -> RFC
clarify a sentence

(drochner)

-remove references to crypto/arc4/arc4.* -- the code isn't used
anywhere afaics
(The confusion comes probably from use of arc4random() at various places,
  but this lives in libkern and doesn't share code with the former.)
-g/c non-implementation of arc4 encryption in swcrypto(4)
-remove special casing of ARC4 in crypto(4) -- the point is that it
doesn't use an IV, and this fact is made explicit by the new "ivsize"
property of xforms

(drochner)

If symmetric encryption is done from userland crypto(4) and no IV
is specified, the kernel gets one from the random generator. Make sure it
is copied out to the user, otherwise the result is quite useless.

(drochner)

g/c remainders of IV handling in pfkey code -- this is done in
opencrypto now

(drochner)

report aes-ctr statistic counter by name

(drochner)

allow ESP to use AES-CTR
(pfkey and userland tool support is already there because it has been
in KAME IPSEC all the time)
tested against KAME IPSEC

(drochner)

being here, export camellia-cbc through crypto(4) to allow userland tests

(drochner)

add an AES-CTR xform, from OpenBSD

(drochner)

-in the descriptor for encryption xforms, split the "blocksize" field
into "blocksize" and "IV size"
-add an "reinit" function pointer which, if set, means that the xform
does its IV handling itself and doesn't want the default CBC handling
by the framework (poor name, but left that way to avoid unecessary
differences)
This syncs with Open/FreeBSD, purpose is to allow non-CBC transforms.
Refer to ivsize instead of blocksize where appropriate.
(At this point, blocksize and ivsize are identical.)

(drochner)

sync minimum key size for AES with reality

(drochner)

check key size on initialization -- othwise the rijndael code
can fail silently

(drochner)

fix a logics bug (which has been here from the beginning) which made
that only 96 random bits were used for IV generation,
this caused eg that the last 4 bytes of the IV in ESP/AES-CBC
were constant, leaking kernel memory
affects FAST_IPSEC only

(drochner)

include the SHA2 hashs into the proposal which goes out with
SADB_ACQUIRE -- this doesn't change much because racoon ignores
the proposal from the kernel anyway and applies its own configuration,
but having MD5 and SHA1 in the list but SHA2 not looks strange

(drochner)

use monotonic time rather than wall time for lifetime related timestamps,
to make key expiration robust against time changes

(drochner)

remove unused expression

(drochner)

remove stale declarations / empty function

(drochner)

cleanup some error handling to avoid memory leaks and doube frees,
from Wolfgang Stukenbrock per PR kern/44948, and part of kern/44952

(drochner)

fix lookup of SAs for outgoing packets in the !prefered_oldsa case,
as done in KAME and FAST_IPSEC after NetBSD imported the code
(The default differs: KAME uses the oldest valid SA while FAST_IPSEC
in NetBSD uses the newest one. I'm not changing this -- there is a lack
of specification and behavior can be changed with the "oldsa" sysctl.)
For incoming packets it shouldn't matter but I made it look similar
just to avoid unnecessary differences.

(drochner)

fix detach() to avoid use-after-free problems:
-stop transfers before freeing data structures
(and comment out a useless delay)
-free devinfo later
Hot-unplugging an USB cam while in use doesn't crash my box anymore now.

(drochner)

-fix maximum length of salt (missing prefix, rounding error)
-clip number of rounds at 31 -- this is log2 of the real number,
and anything larger would break exponentation
-catch possible atoi() error where log2(rounds) is parsed in the
salt prefix
-zero crypto state on exit
from Open/FreeBSD

(drochner)

fix ipad/opad buffer length (was one too much), just for sanity

(drochner)

split the "crypto_mtx" spinlock into 3: one spinlock each for
the incoming and outgoing request queues (which can be dealt with
by hardware accelerators) and an adaptive lock for "all the rest"
(mostly driver configuration, but also some unrelated stuff in
cryptodev.c which should be revisited)
The latter one seems to be uneeded at many places, but for now I've
done simple replacements only, except minor fixes (where
softint_schedule() was called without the lock held)

(drochner)

remove redundant declarations

(drochner)

remove redundant declaration

(drochner)

remove a useless m_freem() call where the argument is known to be NULL

(drochner)

use time_t rather than long for timestamps

(drochner)

cosmetical whitespace changes

(drochner)

use getmicrouptime(9) rather than microtime(9) for TIME_WAIT duration
calculation, because this doesn't get confused by system time changes,
and uses less CPU cycles
reviewed by dyoung

(drochner)

rearrange variable usage to kill __UNCONST
reviewed by sjg

(drochner)

As a first step towards more fine-grained locking, don't require
crypto_{new.free}session() to be called with the "crypto_mtx"
spinlock held.
This doesn't change much for now because these functions acquire
the said mutex first on entry now, but at least it keeps the nasty
locks local to the opencrypto core.

(drochner)

remove excess newlines in debug output

(drochner)

remove an empty function

(drochner)

fix C&P botch in diagnostic printfs

(drochner)

remove generated binary files

(drochner)

decode camellia-cbc in stats histogram

(drochner)

support camellia-cbc as ESP cipher

(drochner)

add IANA number for camellia-cbc, copied from FreeBSD

(drochner)

support camellia-cbc by swcrypt

(drochner)

make camellia-cbc known to the opencrypto framework

(drochner)

add "camellia" crypto code, copied from FreeBSD

(drochner)

fix V->version flag

(drochner)