-consistently use "char *" for the compiled policy buffer in the
ipsec_*_policy() functions, as it was documented and used by clients
-remove "ipsec_policy_t" which was undocumented and only present
in the KAME version of the ipsec.h header
-misc cleanup of historical artefacts, and to remove unnecessary
differences between KAME ans FAST_IPSEC

branches: 1.12.6;
no need for noinput

define YY_NO_INPUT where appropriate, from Kurt J. Lidl per PR misc/41160

Enable WARNS=4 by default except for:
dump dump_lfs fsck_ffs fsck_lfs fsdb mount_smbfs
newfs_ext2fs newfs_lfs resize_lfs setkey

branches: 1.9.30;
Redo previous rework to generate yacc/lex output again and remove generated
copies from the import as they don't compile clean across all archs.

Don't yacc/lex here as dist includes generated copies already and depending
on timestamps it's possible for gcc2 on vax to get confused on which .h
to use.

Move WARNS=3 to the Makefile.inc, and add a little const to the remaining
programs that did not compile before.

branches: 1.6.2;
Define SADB_X_EALG_AESCBC=SADB_X_EALG_AES, as we define SADB_X_EALG_AES
in <net/pfkeyv2.h> while ipsec-tools uses SADB_X_EALG_AESCBC in the code.

Additional cleanup pass.

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Use ${NETBSDSRCDIR}/some/path instead of ${.CURDIR}/../../some/path

use YHEADER, not YFLAGS+=-d. from kre

branches: 1.1.4;
move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Kill __P(), use ANSI function declarations.

Add (unsigned char) cast to ctype function, reworked to fit on one line

Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.

support DUMP by sysctl

committed by mistake

warn that port-number does not work for gateway config. PR kern/22715
add reference. bump date.

add another (void *) cast to appease gcc3.3

more error traps on malloc failure. accept "-E null".
various pedantic checks. from kame

Avoid strict alias warnings.

sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.

fix -Wshadow warnings

Fix a typo which prevented manual keying from working.

upgrade to the latest KAME setkey(8). allows FQDN hostname in commands.
"add localhost localhost esp 9999 -E des-cbc hogehoge" adds two keys,
for 127.0.0.1 and ::1

Add a "deleteall" command that takes a src/dst/protocol.

remove redundant decl

sync with recent net/pfkeyv2.h change (sorry forgot to commit). from kame

branches: 1.1.2; 1.1.4;
move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

upgrade to the latest KAME setkey(8). allows FQDN hostname in commands.
"add localhost localhost esp 9999 -E des-cbc hogehoge" adds two keys,
for 127.0.0.1 and ::1

branches: 1.2.4;
update examples, so that they would at least pass the parser.

move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

upgrade to the latest KAME setkey(8). allows FQDN hostname in commands.
"add localhost localhost esp 9999 -E des-cbc hogehoge" adds two keys,
for 127.0.0.1 and ::1

sync with the current usage. from kame.

note th at the file will not be installed into locations like
/usr/sibn or /sbin.

branches: 1.1.2; 1.1.4;
move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Bump date for previous.

Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.

aes-xcbc-mac is now an RFC. bump date.

support DUMP by sysctl

Punctuation nit; bump date for previous.

make it possible to process files.

"tagged" policy is not introduced to netbsd-current yet

warn that port-number does not work for gateway config. PR kern/22715
add reference. bump date.

support new algorithms

support hmac-sha2

Bump date for last.

more error traps on malloc failure. accept "-E null".
various pedantic checks. from kame

Remove unnecessary space before dot.

correct bad RFC ref. KAME problem report 480

Fix some typos. From Igor Sobrado in PR 20722.

sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.

Slightly improve markup in two places, sort sections.

Whitespace nits

upgrade to the latest KAME setkey(8). allows FQDN hostname in commands.
"add localhost localhost esp 9999 -E des-cbc hogehoge" adds two keys,
for 127.0.0.1 and ::1

we have never supported lzs. sync with kame

sync with latest kame. clarifies hex key and other things.

Drop trailing dot in Nd.

Add a "deleteall" command that takes a src/dst/protocol.

have description on -v. sync with kame

support rijndael-cbc.

Fix spelling.

For commands and utilities, use EXIT STATUS rather than RETURN VALUES as
appropriate (and documented in mdoc(7)).

mention resesrved SPI range, which is not usable from userland

branches: 1.1.2; 1.1.4;
move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Kill __P(), use ANSI function declarations.

ignore promiscuous messages by checking sadb_msg_pid.

ok'ed by itojun.

support DUMP by sysctl

make it possible to use /kern/ipsec{sp,sa} for dumping policy/SA. it will
workaround the issue with socket buffer size in PF_KEY SADB_DUMP.

Add file ... mode to usage.

make it possible to process files.

more error traps on malloc failure. accept "-E null".
various pedantic checks. from kame

use NI_MAX*. 10 is not enough for port number. sync w/kame

upgrade to the latest KAME setkey(8). allows FQDN hostname in commands.
"add localhost localhost esp 9999 -E des-cbc hogehoge" adds two keys,
for 127.0.0.1 and ::1

getopt(3): EOF -> -1.

avoid use of ANSI C trigraph ??/

support rijndael-cbc.

branches: 1.1.2; 1.1.4;
move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Kill __P(), use ANSI function declarations.

Homogenize usage messages: make the 'usage' word all lowercase, as this seems
to be the most common practice in our tree.

branches: 1.1.4;
move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Kill __P(), use ANSI function declarations.

branches: 1.1.4;
move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

Kill __P(), use ANSI function declarations.

Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.

Don't assign NULL to a char.

support DUMP by sysctl

committed by mistake

warn that port-number does not work for gateway config. PR kern/22715
add reference. bump date.

support new algorithms

cleanup

more error traps on malloc failure. accept "-E null".
various pedantic checks. from kame

permit scoped addr notation in policy string (-P esp/tunnel/foo%scope-bar%scope/use). from francis dupont. sync w/kame

sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.

upgrade to the latest KAME setkey(8). allows FQDN hostname in commands.
"add localhost localhost esp 9999 -E des-cbc hogehoge" adds two keys,
for 127.0.0.1 and ::1

Add a "deleteall" command that takes a src/dst/protocol.

use YHEADER, not YFLAGS+=-d. from kre

support rijndael-cbc.

sync with recent net/pfkeyv2.h change (sorry forgot to commit). from kame

branches: 1.1.2; 1.1.4;
move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)

Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.

branches: 1.1.4;
move setkey(8) from usr.sbin to sbin, to enable us to initialize
IPsec manual key before /usr mount..
(based on "don't use cvsmove" discussion i have seen, I did not use cvsmove)