Print at most pkgsize - hdrsize bytes for pfkey tag and identity to
prevent out-of-bounds read in strlen().

ok tb@

add support route based ipsec vpn negotiation with sec(4) via isakmpd.

this adds "interface secX" to the grammar that you can use instead
of specifying tunnel/transport modes and traffic selectors.

add support route based ipsec vpn negotiation with sec(4) via isakmpd.

this adds "interface secX" to the grammar that you can use instead
of specifying tunnel/transport modes and traffic selectors.

if you have config like "ike interface sec0 local ... peer ...",
ipsecctl will generate the right config for isakmpd to negotiate
esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however,
this also specifies that they should be set up as interface SAs in
the kernel for use with sec(4).

this supports route-based instead of policy based ipsec encapsulation,
and allows us to more easily operate with other vendors and products
that also offer route-based vpns with opinions about the negotiated
policy that doesnt fit with the SPD.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

show more ...

Delete obsolete /* ARGSUSED1 */ lint comments.

ok claudio@ cheloha@ krw@ deraadt@ miod@ millert@

After deleting hifn(4) the only provider for the LZS compression
algorithm is gone. Reomve all LZS references from the tree. The
v42bis in isakmpd also looks unsupported.
OK mvs@ patrick@ sthen@

Export SA replay counters via pfkey and print with ipsecctl.
This is useful for debugging replay window issues with 64 bit
sequence numbers in IPsec.

ok bluhm@

Print SA MTU if included in pfkey message.

ok bluhm@ sthen@ mpi@

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@

Fix "comparison of integers of different signs" warning.

ok patrick@

Support SADB_X_EXT_RDOMAIN extension in pfkey dump (-m).

ok markus@, patrick@

snprintf/vsnprintf return < 0 on error, rather than -1.

Display per-TDB counters in verbose mode.

ok sthen@

Include <sys/queue.h> instead of relying on kernel headers to include
it.

ok markus@ as part of a larger diff

Rename all SA groups to bundles consistently. The first kernel
commit in 2000 that introduced the features already called them SA
bundles. The word group is taken by Diffie-Hellman, reusing it
caus

Rename all SA groups to bundles consistently. The first kernel
commit in 2000 that introduced the features already called them SA
bundles. The word group is taken by Diffie-Hellman, reusing it
causes confusion.
OK hshoexer@

show more ...

Found another len += snprintf...
ok mikeb

Now that the kernel provides information about IPsec SA bundles,
print them by default.
OK hshoexer@

Depending on the addresses, ipsecctl(8) automatically groups sa
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the interna

Depending on the addresses, ipsecctl(8) automatically groups sa
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@

show more ...

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and q

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

show more ...

remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@

Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy

Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by i

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

show more ...

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

Unbreak the tree. Looks like tedu did not tedu enough when killing KPDK
support.

fix printing of IPcomp SAs; ok mikeb@ & todd@

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@