later is now.

branches: 1.18.52;
-consistently use "char *" for the compiled policy buffer in the
ipsec_*_policy() functions, as it was documented and used by clients
-remove "ipsec_policy_t" which was undocumented and only present
in the KAME version of the ipsec.h header
-misc cleanup of historical artefacts, and to remove unnecessary
differences between KAME ans FAST_IPSEC

branches: 1.17.34;
Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry. RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros. Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default. Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.

Redo previous rework to generate yacc/lex output again and remove generated
copies from the import as they don't compile clean across all archs.

Don't yacc/lex here as dist includes generated copies already and depending
on timestamps it's possible for gcc2 on vax to get confused on which .h
to use.

Ignore lint argument promotion warnings (for now).

branches: 1.13.2;
Define SADB_X_EALG_AESCBC=SADB_X_EALG_AES, as we define SADB_X_EALG_AES
in <net/pfkeyv2.h> while ipsec-tools uses SADB_X_EALG_AESCBC in the code.

Enable building the lint library.

Additional cleanup pass.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Only compile in IPv6 support if ${USE_INET6} != "no"

MKINET6 is for providing IPv6 infrastructure.
USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6).

Explicitly move setting of NOxxx and USE_SHLIBDIR to the top of the
Makefile (before including <bsd.own.mk>)

Use ${NETBSDSRCDIR}/some/path instead of ${.CURDIR}/../../some/path (etc).
(Reduces make output by ~ 20%)

* Add user-controlled mk.conf variables
- SHLIBDIR Location to install shared libraries if ${USE_SHLIBDIR}
is "yes". Defaults to "/usr/lib".

- USE_SHLIBDIR If "yes", install shared libraries in ${SHLIBDIR}
instead of ${LIBDIR}. Defaults to "no".
Sets ${_LIBSODIR} to the appropriate value.
This may be set by individual Makefiles as well.

- SHLINKDIR Location of shared linker. Defaults to "/usr/libexec".
If != "/usr/libexec", change the dynamic-linker
encoded in shared programs

* Set USE_SHLIBDIR for libraries used by /bin and /sbin:
libc libcrypt libcrypto libedit libipsec libkvm libm libmi387
libtermcap libutil libz

* If ${_LIBSODIR} != ${LIBDIR}, add symlinks from ${LIBDIR}/${LIB}.so*
to ${_LIBSODIR}/${LIB}.so* for compatibility.

* Always install /sbin/init statically (for now)


The net effect of these changes depends on how the variables are set:

1.) If nothing is set or changed, there is no change from the
current behaviour:
- Static /bin, /sbin, and bits of /usr/*
- Dynamic rest
- Shared linker is /usr/libexec/ld*so

2.) If the following make variables are set:
LDSTATIC=
SHLINKDIR=/lib
SHLIBDIR=/lib
Then the behaviour becomes:
- Dynamic tools
- .so libraries used by /bin and /sbin are installed to /lib,
with symlinks from /usr/lib/lib*so to -> /lib/lib*so
where appropriate
- Shared linker is /lib/ld*so

3.) As per 2.), but add the following variable:
USE_SHLIBDIR=yes
This forces all .so's to be instaleld in /lib (with compat
symlinks), not just those tagged by their Makefiles to be.
Again, compat symlinks are installed

Need -I${.CURDIR} for ipsec_strerror.h

hide shouldn't-be-exported symbols from the outside.
don't compile pfkey*, since we expect tons of changes in the near future.

bump shlib major (due to less exported APIs than before - am I correct here?).

upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly

s/CFLAGS/CPPFLAGS/ for -D and -I.
remove lint error.

ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.

branches: 1.1.2;
file Version.map was initially added on branch agc-symver.

Switch the iconv(3) prototype to the POSIX conformant variation

Remove const from the 2nd argument.

const char ** and char ** are incompatible types and it was a cost to keep
the technically incompatible form for a more purist variation. NetBSD was
almost the last alive OS to still keep the const argument (known leftovers:
Minix and Illumos).

Keep the const form for the internal purposes inside citrus and rump.

Address the build breakage fallout in the same change.

There are no ABI changes.

Change accepted by core@.

Remove dead references to netinet6/ipsec.h.

branches: 1.8.2;
Disable draft_00 in racoon, discussed on tech-net@ and now in PR/53334.
While here clarify the comments, no #undef.

No need to increase the library version I guess, since draft_00 is not
used in libipsec.

branches: 1.7.38;
include <netipsec/ipsec.h> rather than <netinet6/ipsec.h> from userland
where possible, for consistency and compatibility to FreeBSD
(exception: KAME specific statistics gathering in netstat(1) and systat(1))

-consistently use "char *" for the compiled policy buffer in the
ipsec_*_policy() functions, as it was documented and used by clients
-remove "ipsec_policy_t" which was undocumented and only present
in the KAME version of the ipsec.h header
-misc cleanup of historical artefacts, and to remove unnecessary
differences between KAME ans FAST_IPSEC

branches: 1.5.16; 1.5.34;
stopgap fix: define PATH_IPSEC_H to make it build again
(added manually because there is no template in the distribution anymore)

branches: 1.4.2;
Fix ipsec-tools build after recent import

Merge ipsec-tools 0.6.3 import

Update config.h and package_version.h to match the upcoming import
of ipsec-tools 0.6.1rc1

branches: 1.1.2;
Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

branches: 1.1.4;
libipsec: Add expected symbols list.

PR lib/58838: shared libraries in base should all have expsym lists

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

NI_WITHSCOPEID was not picked up by IETF standardization process

use __RCSID()

correct %d/%u mismatch. sync w/kame

sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.2.2;
hide shouldn't-be-exported symbols from the outside.
don't compile pfkey*, since we expect tons of changes in the near future.

bump shlib major (due to less exported APIs than before - am I correct here?).

sorry, forgot to cvs add new files

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

use __RCSID()

sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.2.2;
use proper include path (net/pfkeyv2.h)

sorry, forgot to cvs add new files

upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly

add NetBSD RCS ID on the top.
retain KAME RCS ID where there was one.

More trailing white space.

ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Use
.In header.h
instead of
.Fd #include \*[Lt]header.h\*[Gt]
Much easier to read and write, and supported by groff for ages.
Okayed by ross.

typo

Generate <>& symbolically.

Whitespace nits.

sync manpage with latest kame.

description for "discard" was missing. sync with kame

sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.6.2;
upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly

s/.Os KAME/.Os/

From: Klaus Klein <kleink@ira.uka.de>

branches: 1.4.4;
add NetBSD RCS ID on the top.
retain KAME RCS ID where there was one.

add LIBRARY section into libipsec manpages.
add ".Lb libipsec" for this.

More trailing white space.

ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Use
.In header.h
instead of
.Fd #include \*[Lt]header.h\*[Gt]
Much easier to read and write, and supported by groff for ages.
Okayed by ross.

Generate <>& symbolically.

sync manpage with latest kame.

make ipsec_strerror(3) to return const char *, not char *. sync with kame.

branches: 1.7.2;
sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.6.2;
upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly

s/.Os KAME/.Os/

From: Klaus Klein <kleink@ira.uka.de>

branches: 1.4.4;
add NetBSD RCS ID on the top.
retain KAME RCS ID where there was one.

add LIBRARY section into libipsec manpages.
add ".Lb libipsec" for this.

More trailing white space.

ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

use __RCSID()

make ipsec_strerror(3) to return const char *, not char *. sync with kame.

branches: 1.6.2;
sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.5.2;
hide shouldn't-be-exported symbols from the outside.
don't compile pfkey*, since we expect tons of changes in the near future.

bump shlib major (due to less exported APIs than before - am I correct here?).

upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly

add NetBSD RCS ID on the top.
retain KAME RCS ID where there was one.

More trailing white space.

ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

make ipsec_strerror(3) to return const char *, not char *. sync with kame.

branches: 1.6.2;
sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.5.2;
hide shouldn't-be-exported symbols from the outside.
don't compile pfkey*, since we expect tons of changes in the near future.

bump shlib major (due to less exported APIs than before - am I correct here?).

upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly

add NetBSD RCS ID on the top.
retain KAME RCS ID where there was one.

More trailing white space.

ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.

branches: 1.1.4;
sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.18.2; 1.18.20;
Migration of ipsec-tools to NetBSD cvs: the version is "cvs" now...

Add NAT ports to SAD in setkey so that NAT SAD entries generated by
racoon can be removed by hand.

Merge ipsec-tools 0.6.3 import

Update ipsec-tools version

Update to ipsec-tools 0.6.1

Update config.h and package_version.h to match the upcoming import
of ipsec-tools 0.6.1rc1

Bump version number

- Fix a double free
- For acquire messages, when NAT-T is in use, consider null port as a
wildcard and use IKE port

Update sample config file to higher security settings

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that
multiple SA can be used in transport mode

While I'm there, patch ipsec-tools ChangeLog to reflect the changes we
took from ipsec-tools-0_6-branch

Bug fixes from the ipsec-tools 0.6 branch:
- Fix NAT-T problems that prevented multiple peers behind the same NAT
to talk to the same machine outside the NAT. This also require kernel
fixes (already committed eralier)
- Fix a LP64 bug
- Fix NAT-T RFC conformance bugs (missing non ESP marker in packets)
- Add a -p option to setkey to display ports that could be used for ESP
over UDP when printing policies

Resurrect TCP-MD5 support. This fixes bin/29915

branches: 1.5.2;
update ipsec-tools version

update ipsec-tools version

update ipsec-tools version

bump ipsec-tools package version

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

I'm not sure what the comment is trying to say, but it can say it with
'making' at least as well as 'makeing'.

Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.

occured -> occurred. From Peter Postma.

Process has only one c. From miod@openbsd.

protect SADB_X_EXT_TAG with #ifdef

typo

cosmetic

use __RCSID()

Avoid memory leak. Pointed out by Patrick Latifi <patrickl at secureops dot com>

sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.

Spell 'occurred' with two 'r's.

More include cleanup. Remvoe (p) from #undef in libipsec.

sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.9.2;
hide shouldn't-be-exported symbols from the outside.
don't compile pfkey*, since we expect tons of changes in the near future.

bump shlib major (due to less exported APIs than before - am I correct here?).

use proper include path (net/pfkeyv2.h)

don't include in6.h directly.

upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly

temporary workaround against KAME PR 154.
http://www2.kame.net/dev/query-pr.cgi?pr=154

This allows many keys to be dumped via "setkey -D", or many keys
to be configured by single "setkey -c < foo" command.

add NetBSD RCS ID on the top.
retain KAME RCS ID where there was one.

s/CFLAGS/CPPFLAGS/ for -D and -I.
remove lint error.

More trailing white space.

ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.

deal with policy without selector. sync w/ kame

protect SADB_X_EXT_TAG with #ifdef

typo

support new algorithms

support hmac-sha2

use __RCSID()

correct %d/%u mismatch. sync w/kame

sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.

support rijndael-cbc

do not rely upon algorithm ordering in pfkey spec. sync with kame

branches: 1.7.2;
sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.6.2;
use proper include path (net/pfkeyv2.h)

don't include in6.h directly.

upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly

add NetBSD RCS ID on the top.
retain KAME RCS ID where there was one.

More trailing white space.

ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

avoid memory leak. hint from Andrew Lunn

do not malloc(0). Andrew Lunn

realloc error check failure; Greg Troxel, sync w/ kame

correct unsafe use of realloc().

don't explicitly clear "reserved" field. instead clear "id" field.

clear malloc'ed memory. sync w/kame

plug memory leak. from ebisawa@iij, sync w/kame

branches: 1.7.2;
sync manpage with latest kame.

Revert previous overzealous change, committed in error.

Put back prototype of yyparse(), since the function name is modified
by the Makefile

YPREFIX+=__libyy

setting, and we thus get an unprototyped function.

remove redundant declaration of yyparse.

branches: 1.3.2;
sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.2.2;
hide shouldn't-be-exported symbols from the outside.
don't compile pfkey*, since we expect tons of changes in the near future.

bump shlib major (due to less exported APIs than before - am I correct here?).

sorry, forgot to cvs add new files

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.

plug memory leak

plug memory leak. from ebisawa@iij, sync w/kame

branches: 1.6.2;
sync manpage with latest kame.

move ipsec_{hex,bin}dump() into #ifdef wrapper.
libipsec: remove unnecessary #include key_debug.h.

branches: 1.4.2;
sync with almost-latest KAME IPsec. full changelog would be too big
to mention here. notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification

branches: 1.3.2;
hide shouldn't-be-exported symbols from the outside.
don't compile pfkey*, since we expect tons of changes in the near future.

bump shlib major (due to less exported APIs than before - am I correct here?).

use proper include path (net/pfkeyv2.h)

sorry, forgot to cvs add new files

bump shared libraries.

Bump libipsec minor

branches: 1.4.10;
Bump shlib version to 2.1 as was intended with ipsec-tools integration.

hide shouldn't-be-exported symbols from the outside.
don't compile pfkey*, since we expect tons of changes in the near future.

bump shlib major (due to less exported APIs than before - am I correct here?).

upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly

ipsec support library.
mainly for debugging, and policy text->binary conversion. NO crypto code
is included so it is export safe.