add support route based ipsec vpn negotiation with sec(4) via isakmpd.

this adds "interface secX" to the grammar that you can use instead
of specifying tunnel/transport modes and traffic selectors.

if you have config like "ike interface sec0 local ... peer ...",
ipsecctl will generate the right config for isakmpd to negotiate
esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however,
this also specifies that they should be set up as interface SAs in
the kernel for use with sec(4).

this supports route-based instead of policy based ipsec encapsulation,
and allows us to more easily operate with other vendors and products
that also offer route-based vpns with opinions about the negotiated
policy that doesnt fit with the SPD.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

remove duplicate includes

After deleting hifn(4) the only provider for the LZS compression
algorithm is gone. Reomve all LZS references from the tree. The
v42bis in isakmpd also looks unsupported.
OK mvs@ patrick@ sthen@

Don't declare variables as "unsigned char *" that are passed to
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.

For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.

With help from millert@
ok benno@ deraadt@

getifaddrs() can return entries where ifa_addr is NULL. Check for this
before accessing anything in ifa_addr.
ok claudio@

Extend the ipsecctl(8) parser to set the udpencap flag and port
number of an SA. This will be useful to test IPsec with NAT-T.
OK sthen@ tobhe@

Fix file descriptor leak due to popfile() never closing the main config file.

The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))

ok bluhm@

(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno

sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@

- odd condition/test in PF lexer
(and other lexers too)

This commit rectifies earlier change:

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).

OK deraadt@, OK millert@

Do for most running out of memory err() what was done for most running
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.

ok henning@

No need to mention which memory allocation entry point failed (malloc,
calloc or strdup), we just need to log that we ran out of memory in a
particular function.

Recommended by florian@ and deraadt@

ok benno@ henning@ tb@

Be consistent in warn() and log_warn() usage when
running out of memory.

Next step, be correct *and* consistent.

ok dennis@ tb@ benno@ schwarze@

Plug leak in error case of the common 'varset' implementations.

ok benno@

Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.

ok visa@, markus@

Rename all SA groups to bundles consistently. The first kernel
commit in 2000 that introduced the features already called them SA
bundles. The word group is taken by Diffie-Hellman, reusing it
causes confusion.
OK hshoexer@

Up to now ipsecctl(8) grouped SAs with identical src and dst to the
flow which the first SA matched by the flow type. This behaviour
was mostly undocumented and unexpected. Make SA bundles explicit
in ipsec.conf(5). Only group SAs that have the same src and dst
and also the same bundle identifier.
OK hshoexer@

Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ
with more modern TAILQ_FOREACH(). This what symget() was already
doing.

Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().

No intentional functional change.

ok bluhm@ otto@

do not allow whitespace in macro names, i.e. "this is" = "a variable".
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.

feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Don't allow embedded nul characters in strings.
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.

pfctl parse.y patch from and ok deraadt@

Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format
characters.

ok sthen@ naddy@ markus@

relax the cfg file secrecy check slightly to allow group readability
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian

use u_char for buffers in yylex, for ctype calls
found by millert@, ok deraadt@

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

Rename "life" to "lifetime" to match iked.

ok mikeb naddy sthen; procedures ok henning

Disallow manual security associations that use AES-CTR, AES-GCM,
or AES-GMAC. These algorithms cannot be used safely with static
keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.

Also include a tweak (with jmc@) to the key size explanation, for
completeness sake.

ok mikeb@

copy&paste mistake in error message

enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP
ok mikeb@

unsigned long should use "%lu" format; from eric lax, thanks

For non-crypted flows (such as ipcomp and ipip), default their
type (if not specified) to "use" instead of "require".
(since they will not get a key...)
ok mikeb claudio

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.

Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC
(as aes-gmac) encryption transformations in the ipsec.conf(5).

Available "enc" arguments denoting use of

1) AES-GCM-16:

aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)

2) ENCR_NULL_AUTH_AES_GMAC:

aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)

Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).

Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.

Example configuration:

ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa

Thoroughly tested by me and naddy. Works fine with Linux.

Requires updated pfkeyv2.h include file.

OK naddy

fix linecount bug with comments spanning multiple lines
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?

Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' ->
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.

Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.

ok hshoexer@ markus@ todd@

Fixed memory leaks which would occur if the second of two memory
allocations fails.

looks right deraadt, krw
ok henning

If the "peer" address is not specified or derived from "to" for
"ike" rules in ipsec.conf, the default peer is used. In theory
ipsecctl -f ipsec.conf can configure the default peer for each "ike"
entry. As isakmpd only supports one default peer, the last "ike"
rule that uses a default peer wins. This configuration is then
significant for all "ike" rules that use the default peer.

Now a warning is printed if a later rule in ipsec.conf changes the
configuration of the original default peer. This should be an error
but that would break existing user configs. So only a warning is
printed.

ok hshoexer@, todd@

After checking that peer == NULL do not assign peer = NULL a few
lines later. No functional change.

ok grunk@, hshoexer@

Allow to specify ike and flow explicitly without peer. The any
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.

tested by grunk@, todd@, ok grunk@, hshoexer@, todd@

Add support to isakmpd(8) and ipsecctl(8) to install SA's with a
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@

When parsing v4 addresses mark them as network addresses
(IPV4_ADDR_SUBNET) when they contain a '/'.

This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding
"/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other
IKE implementations.

From Mitja Muzenic <mitja at muzenic dot net>, thanks!

Idea supported by markus@ and jdixon@.

findeol() fix from pfctl

If a rules contains a hostname instead of an address, use the list
of all possible addresses from DNS and not only the first one. So
during expansion, the right address family can be chosen and
regression test ike56 passes again. There localhost resolves to
127.0.0.1 and ::1.
ok hshoexer

If multiple to addresses but no peer are given in an ike or flow
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer

Move ike and flow peer selection to common function.
No functional change yet.
ok hshoexer

trivial code simplification
tested and ok hshoexer, grunk

add support for the "include" directive using code from pfctl/parse.y.

pointed out by Prabhu Gurumurthy

ok deraadt@

Support for specifying aes-{128,192,256}. Originial idea by Prabhu
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!

ok todd@

Remove space/tab compression function from lgetc() and replace
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@

sync with daemon parser code.
ok deraadt@

Allow '=' to end a number in all lexers.
Requested and OK deraadt@

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr

in all these programs using the same pfctl-derived parse.y, re-unify the
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.

next step in the yylex unification: handle quoted strings in a nicer fashion
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others

Here too: Add support to the lex for parsing number out of the stream.
handle this in the parser. better range checks.

with and ok deraadt@

duplicate strdup; ok hshoexer

allow proto esp/ah in flow specification (especially useful for bypass flows)
ok hshoexer, mpf

Do not crash when lists include the "any" keyword. Reported by
<ralf.horstmann at gmx.net>, thanks!

Slightly different fix. Also add a regression test.

ok mpf@

move autodetection of the ID type to the parser. this way the
static flows have the correct ID, too. ok hshoexer, reyk

Really, we don't need two grp18's ;-)
ok hshoexer@ and markus@

Bits for ESP+NULL encryption. This is useful, when AH can not be
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk
at gmail.com>, thanks!

ok markus@

undo previous commit and keep the original behaviour of the parser.

asked for by deraadt@

Do not accept '\n' in quoted strings. Addresses issues noticed by
Prabhu Gurumurthy <pgurumu () gmail ! com>
(http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2),
thanks!

ok markus@ cloder@ (uhm, quite some time ago)

allow rule if there is at least _one_ matching address family combination.
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address.
ok itojun@, hshoexer@

don't pass -1 as a netmask; report vicviq at gmail.com

better support for IPv6 hostname/numeric representation.
hostname/prefixlen works only for IPv4-only hostname.
markus ok (regress tested)

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

Handle rules with addresses from mismatched address families correctly.

ok msf@

check both rule sourace and destination when grouping sa's

fixes PR5262

ok hshoexer@

Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.

Add support for aggressive mode (from the k2k6 IPsec hackathon).

ok hshoexer

typo in err(); from bret.lambert@gmail.com, thanks!

branches: 1.108.2;
add group "none"; when choosen, pfs will be disabled.

ok david msf

report the correct line number on an error. Noticed by david@

As naddy@ pointed out RFC 3686 discourages use of AESCTR for static
keying. markus@ seconds this, so use AES CBC as default.

ok naddy@

Better error message when a key file can not be opened or the provided key is
not of correct size. Suggested by david@

knf & careful data freeing, regression tested by todd

fix some indentation, noticed by david@

Add a transport mode specifier to ike rules. Tunnel mode remains the default.
"looks right" hshoexer@

turns out this really doesn't break what is in the tree; ok hshoexer@

make sure, we initialize unspecified keys and spis. Noticed by
naddy@, ok naddy@.

Do not yet expand the "any" keyword to v6 addresses. ok todd@

remove unused prototype, ok todd@

support tcp/udp port modifiers in ike rules
"put it in if it doesn't break regress" hshoexer@

allow to specify phase 1 and 2 lifetimes. Right now, these values
can only be set globally (ie. Default-phase-[12]-lifetime).

simplify handling of peers.

some more cleanup and simplification, no functional change.

put src and dst host in dedicated structure. Make the API more
compact which will soon simplify my life.

Simplify main/quick mode parsing and generation of the actual ike config.

Generalize parsing of main/quick mode specification. Preparation
for lifetime support.

Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.

Final bits for SA grouping.

Support flows with port modifiers for proto tcp/udp, e.g.
flow proto udp from 1.2.3.4 port ntp to 5.6.7.8

ok hshoexer@ msf@

print actual key size when warning about the wrong key size; ok hshoexer

spacing

knf

add more v6 support, this round `any' expands additionally to ::/0
skip link-locals for now, to be handled separately later
ok hshoexer@

When no peer is specified, make this rule a "catch-all" rule for any remote
peer. Similar to isakmpd(8)s "Default=" tag.

white spaces

add basic
- IPv6 parsing for only v6 host addresses
- checks for dst <-> src address family sanity
ok hshoexer@

enable lists.

This allows rules like:

ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4

This will setup two tunnels to the networks 192.168.7.0/24 and
192.168.9.0/24.

Provide functions for copying members of rules. Implement copyrule()
function to copy a single rule. Use that for rule expansion.

unify code a little bit (consistent variable names).

Also return proper list of addresses for interface groups.

As usual, this and the previous commit reused suitable code from
the tree (pfctl).

As the rule expansion is now aware of host lists, host_if() has to
return a proper list of addresses bound to an interface.

teach expand_rule() to iterate over host lists, not used yet.

fix rule numbering (for -vv)
late ikerule also use expand_rule

merge expand_sa() and expand_rule().

move generation of reverse flow rules to seperat function.

unify expansion of SA rules. Needed for general rule expansion.

when parsing host specifications, initialize host address queue pointers, not
used yet.

prepare for rule expansion. Get rid of addr_node, link struct
ipsec_addr_wrap directly.

add ERANGE error detection, found when looking at bgpd's parse.y
ok hshoexer@

allow to specify groups to be used IKE

\<char> is <char> except for \<newline> -- no exceptions. much like how
other things work. ok henning

permit proto 0; ok hshoexer

fix some spelling; noticed by david@

constify char *infile here, too. noticed by lint.

add support for interface groups.

small cleanup: no need to strdup here.

"type" keyword to specify flow type (require, use, etc.)

add hostname resolver.

at least some eyeballing by cloder@
tested by jean raby, requested/suggested by rod withworth

Add support for "local" to ike rules. Allows to specify the local IP to be
used on a multi-homed machine. Also, relax order of peer/local keywords.

ok markus@

allow specification of encapsulated protocol for ike; ok hshoexer

allow specification of encapsulated protocol for flows; ok hshoexer

when resolving interface names to ip adresses, set netmask to all bits 1

allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk

add support for macros in ipsec.conf(5). some bits have already been
there.

requested by david@
ok hshoexer@, msf@

add support for special "bypass" and "deny" flows.

ok hshoexer@, thanks jmc@

add an ike option for road warrior setups (hosts with dynamic ip
addresses).

"ike dynamic esp" will use the system's hostname as the fqdn source id
(instead of the ip address) by default and enable dpd (dead peer
detection) to allow smooth reconnects after an ip address change (i.e.
forced reconnect with consumer adsl lines).

ok hshoexer@, looks fine markus@, jmc@

initialize authtype->string in case of RSA to avoid bad free()
ok reyk@ hshoexer@

wrap long lines (no binary change)

add support for pre-shared keys with "ike esp" using the new keyword
"psk". rsa-sig is recommended and will still be used by default.

ok hshoexer@, manpage ok jmc@

Correctly copy interface names; fixes breakage noticed by naddy@

ok naddy@
cvs: ----------------------------------------------------------------------

ipip support: ip-in-ip w/o gif(4); ok hshoexer

spacing

sanity check constraints for transforms.
ok deraadt@

truly permit auth/enc/comp expressions to be in any order
hshoexer will add back in the contraint language

allow specficiation of encryption and authentication algorithms to be swapped.
Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are
valid.

Remove old-style keyed sha1/md5. We only support hmac-sha1/md5.
Noticed the hard way by <raff at brodewicz dot pl>

spacing

add support for interface names as host specifications

permit TO/FROM to be swapped (symmetry is good); ok hshoexermk

simplify TAILQ walking code; ok hshoexer

spacing

do not stat() before open(); instead -- use fstat(); ok hshoexer

handle transport/tunnel mode

Improved address and address mask handling, derived from pfctl stuff.

better handling of ip addresses, prepare for v6. Partially derived from diff
by todd@. Work in progress.

prepare for more flexible hostname resolver. Right now just v4, more to come
(if groups, v6, dns).

add support for ipcomp.

more error message cleanup

Prepare for better host specification parser: dns names, interfaces, etc. But
for now, just ipv4. Derived from pfctl(8).

Unset debug flag.

Add keyword "any" for addresses, reduces to "0.0.0.0/0".

cleanup messages generated by err(3)

Teach ipsecctl to control isakmpd.

ok deraadt

more useful error message

Rewrite handling of transforms. Now both ah and esp can be specified and
validated correctly. Unbreaks ah.

Correct keysize for 3des-cbc

add crypto transforms and static keying rules

prepare for static keying

more key handling stuff.

prepare for authentication and encryption keys, not used yet.

simplify a bit.

Make use of struct ipsec_auth dynamic.
Do not pass IDs to kernel when deleting flows.

use correct function names in error messages

prepare for combining SAs and flows in one single rule, no functional change
yet.

add automatic creation of reverse SAs.

A tcpmd5 rule like:
tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \
key 0xbeefdead:0xdeadbeef
expands now to:
tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead
tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef

prepare for specifying both in and out key, not used yet.

prepare for specifying incoming and outgoing SPIs, not used yet.

allow reading key from a file

it's ok to not specify the key when deleting a tcpmd5 SA

add support tcpmd5

set flow type (use, require, etc.) when a rule is created. Up to now this was
done while crafting the corresponding pfkey message.

add type for rules; will need this for tcpmd5

do not swap srcid/dstid for INOUT rules.

use bzero

fix cvs id tags

Add ipsecctl utility, work in progress

ok deraadt

remove duplicate includes

After deleting hifn(4) the only provider for the LZS compression
algorithm is gone. Reomve all LZS references from the tree. The
v42bis in isakmpd also looks unsupported.
OK mvs@ patrick@ sthen@

Don't declare variables as "unsigned char *" that are passed to
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.

For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.

With help from millert@
ok benno@ deraadt@

getifaddrs() can return entries where ifa_addr is NULL. Check for this
before accessing anything in ifa_addr.
ok claudio@

Extend the ipsecctl(8) parser to set the udpencap flag and port
number of an SA. This will be useful to test IPsec with NAT-T.
OK sthen@ tobhe@

Fix file descriptor leak due to popfile() never closing the main config file.

The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))

ok bluhm@

(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno

sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@

- odd condition/test in PF lexer
(and other lexers too)

This commit rectifies earlier change:

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).

OK deraadt@, OK millert@

Do for most running out of memory err() what was done for most running
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.

ok henning@

No need to mention which memory allocation entry point failed (malloc,
calloc or strdup), we just need to log that we ran out of memory in a
particular function.

Recommended by florian@ and deraadt@

ok benno@ henning@ tb@

Be consistent in warn() and log_warn() usage when
running out of memory.

Next step, be correct *and* consistent.

ok dennis@ tb@ benno@ schwarze@

Plug leak in error case of the common 'varset' implementations.

ok benno@

Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.

ok visa@, markus@

Rename all SA groups to bundles consistently. The first kernel
commit in 2000 that introduced the features already called them SA
bundles. The word group is taken by Diffie-Hellman, reusing it
causes confusion.
OK hshoexer@

Up to now ipsecctl(8) grouped SAs with identical src and dst to the
flow which the first SA matched by the flow type. This behaviour
was mostly undocumented and unexpected. Make SA bundles explicit
in ipsec.conf(5). Only group SAs that have the same src and dst
and also the same bundle identifier.
OK hshoexer@

Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ
with more modern TAILQ_FOREACH(). This what symget() was already
doing.

Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().

No intentional functional change.

ok bluhm@ otto@

do not allow whitespace in macro names, i.e. "this is" = "a variable".
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.

feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Don't allow embedded nul characters in strings.
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.

pfctl parse.y patch from and ok deraadt@

Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format
characters.

ok sthen@ naddy@ markus@

relax the cfg file secrecy check slightly to allow group readability
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian

use u_char for buffers in yylex, for ctype calls
found by millert@, ok deraadt@

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

Rename "life" to "lifetime" to match iked.

ok mikeb naddy sthen; procedures ok henning

Disallow manual security associations that use AES-CTR, AES-GCM,
or AES-GMAC. These algorithms cannot be used safely with static
keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.

Also include a tweak (with jmc@) to the key size explanation, for
completeness sake.

ok mikeb@

copy&paste mistake in error message

enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP
ok mikeb@

unsigned long should use "%lu" format; from eric lax, thanks

For non-crypted flows (such as ipcomp and ipip), default their
type (if not specified) to "use" instead of "require".
(since they will not get a key...)
ok mikeb claudio

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.

Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC
(as aes-gmac) encryption transformations in the ipsec.conf(5).

Available "enc" arguments denoting use of

1) AES-GCM-16:

aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)

2) ENCR_NULL_AUTH_AES_GMAC:

aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)

Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).

Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.

Example configuration:

ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa

Thoroughly tested by me and naddy. Works fine with Linux.

Requires updated pfkeyv2.h include file.

OK naddy

fix linecount bug with comments spanning multiple lines
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?

Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' ->
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.

Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.

ok hshoexer@ markus@ todd@

Fixed memory leaks which would occur if the second of two memory
allocations fails.

looks right deraadt, krw
ok henning

If the "peer" address is not specified or derived from "to" for
"ike" rules in ipsec.conf, the default peer is used. In theory
ipsecctl -f ipsec.conf can configure the default peer for each "ike"
entry. As isakmpd only supports one default peer, the last "ike"
rule that uses a default peer wins. This configuration is then
significant for all "ike" rules that use the default peer.

Now a warning is printed if a later rule in ipsec.conf changes the
configuration of the original default peer. This should be an error
but that would break existing user configs. So only a warning is
printed.

ok hshoexer@, todd@

After checking that peer == NULL do not assign peer = NULL a few
lines later. No functional change.

ok grunk@, hshoexer@

Allow to specify ike and flow explicitly without peer. The any
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.

tested by grunk@, todd@, ok grunk@, hshoexer@, todd@

Add support to isakmpd(8) and ipsecctl(8) to install SA's with a
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@

When parsing v4 addresses mark them as network addresses
(IPV4_ADDR_SUBNET) when they contain a '/'.

This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding
"/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other
IKE implementations.

From Mitja Muzenic <mitja at muzenic dot net>, thanks!

Idea supported by markus@ and jdixon@.

findeol() fix from pfctl

If a rules contains a hostname instead of an address, use the list
of all possible addresses from DNS and not only the first one. So
during expansion, the right address family can be chosen and
regression test ike56 passes again. There localhost resolves to
127.0.0.1 and ::1.
ok hshoexer

If multiple to addresses but no peer are given in an ike or flow
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer

Move ike and flow peer selection to common function.
No functional change yet.
ok hshoexer

trivial code simplification
tested and ok hshoexer, grunk

add support for the "include" directive using code from pfctl/parse.y.

pointed out by Prabhu Gurumurthy

ok deraadt@

Support for specifying aes-{128,192,256}. Originial idea by Prabhu
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!

ok todd@

Remove space/tab compression function from lgetc() and replace
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@

sync with daemon parser code.
ok deraadt@

Allow '=' to end a number in all lexers.
Requested and OK deraadt@

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr

in all these programs using the same pfctl-derived parse.y, re-unify the
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.

next step in the yylex unification: handle quoted strings in a nicer fashion
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others

Here too: Add support to the lex for parsing number out of the stream.
handle this in the parser. better range checks.

with and ok deraadt@

duplicate strdup; ok hshoexer

allow proto esp/ah in flow specification (especially useful for bypass flows)
ok hshoexer, mpf

Do not crash when lists include the "any" keyword. Reported by
<ralf.horstmann at gmx.net>, thanks!

Slightly different fix. Also add a regression test.

ok mpf@

move autodetection of the ID type to the parser. this way the
static flows have the correct ID, too. ok hshoexer, reyk

Really, we don't need two grp18's ;-)
ok hshoexer@ and markus@

Bits for ESP+NULL encryption. This is useful, when AH can not be
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk
at gmail.com>, thanks!

ok markus@

undo previous commit and keep the original behaviour of the parser.

asked for by deraadt@

Do not accept '\n' in quoted strings. Addresses issues noticed by
Prabhu Gurumurthy <pgurumu () gmail ! com>
(http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2),
thanks!

ok markus@ cloder@ (uhm, quite some time ago)

allow rule if there is at least _one_ matching address family combination.
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address.
ok itojun@, hshoexer@

don't pass -1 as a netmask; report vicviq at gmail.com

better support for IPv6 hostname/numeric representation.
hostname/prefixlen works only for IPv4-only hostname.
markus ok (regress tested)

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

Handle rules with addresses from mismatched address families correctly.

ok msf@

check both rule sourace and destination when grouping sa's

fixes PR5262

ok hshoexer@

Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.

Add support for aggressive mode (from the k2k6 IPsec hackathon).

ok hshoexer

typo in err(); from bret.lambert@gmail.com, thanks!

branches: 1.108.2;
add group "none"; when choosen, pfs will be disabled.

ok david msf

report the correct line number on an error. Noticed by david@

As naddy@ pointed out RFC 3686 discourages use of AESCTR for static
keying. markus@ seconds this, so use AES CBC as default.

ok naddy@

Better error message when a key file can not be opened or the provided key is
not of correct size. Suggested by david@

knf & careful data freeing, regression tested by todd

fix some indentation, noticed by david@

Add a transport mode specifier to ike rules. Tunnel mode remains the default.
"looks right" hshoexer@

turns out this really doesn't break what is in the tree; ok hshoexer@

make sure, we initialize unspecified keys and spis. Noticed by
naddy@, ok naddy@.

Do not yet expand the "any" keyword to v6 addresses. ok todd@

remove unused prototype, ok todd@

support tcp/udp port modifiers in ike rules
"put it in if it doesn't break regress" hshoexer@

allow to specify phase 1 and 2 lifetimes. Right now, these values
can only be set globally (ie. Default-phase-[12]-lifetime).

simplify handling of peers.

some more cleanup and simplification, no functional change.

put src and dst host in dedicated structure. Make the API more
compact which will soon simplify my life.

Simplify main/quick mode parsing and generation of the actual ike config.

Generalize parsing of main/quick mode specification. Preparation
for lifetime support.

Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.

Final bits for SA grouping.

Support flows with port modifiers for proto tcp/udp, e.g.
flow proto udp from 1.2.3.4 port ntp to 5.6.7.8

ok hshoexer@ msf@

print actual key size when warning about the wrong key size; ok hshoexer

spacing

knf

add more v6 support, this round `any' expands additionally to ::/0
skip link-locals for now, to be handled separately later
ok hshoexer@

When no peer is specified, make this rule a "catch-all" rule for any remote
peer. Similar to isakmpd(8)s "Default=" tag.

white spaces

add basic
- IPv6 parsing for only v6 host addresses
- checks for dst <-> src address family sanity
ok hshoexer@

enable lists.

This allows rules like:

ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4

This will setup two tunnels to the networks 192.168.7.0/24 and
192.168.9.0/24.

Provide functions for copying members of rules. Implement copyrule()
function to copy a single rule. Use that for rule expansion.

unify code a little bit (consistent variable names).

Also return proper list of addresses for interface groups.

As usual, this and the previous commit reused suitable code from
the tree (pfctl).

As the rule expansion is now aware of host lists, host_if() has to
return a proper list of addresses bound to an interface.

teach expand_rule() to iterate over host lists, not used yet.

fix rule numbering (for -vv)
late ikerule also use expand_rule

merge expand_sa() and expand_rule().

move generation of reverse flow rules to seperat function.

unify expansion of SA rules. Needed for general rule expansion.

when parsing host specifications, initialize host address queue pointers, not
used yet.

prepare for rule expansion. Get rid of addr_node, link struct
ipsec_addr_wrap directly.

add ERANGE error detection, found when looking at bgpd's parse.y
ok hshoexer@

allow to specify groups to be used IKE

\<char> is <char> except for \<newline> -- no exceptions. much like how
other things work. ok henning

permit proto 0; ok hshoexer

fix some spelling; noticed by david@

constify char *infile here, too. noticed by lint.

add support for interface groups.

small cleanup: no need to strdup here.

"type" keyword to specify flow type (require, use, etc.)

add hostname resolver.

at least some eyeballing by cloder@
tested by jean raby, requested/suggested by rod withworth

Add support for "local" to ike rules. Allows to specify the local IP to be
used on a multi-homed machine. Also, relax order of peer/local keywords.

ok markus@

allow specification of encapsulated protocol for ike; ok hshoexer

allow specification of encapsulated protocol for flows; ok hshoexer

when resolving interface names to ip adresses, set netmask to all bits 1

allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk

add support for macros in ipsec.conf(5). some bits have already been
there.

requested by david@
ok hshoexer@, msf@

add support for special "bypass" and "deny" flows.

ok hshoexer@, thanks jmc@

add an ike option for road warrior setups (hosts with dynamic ip
addresses).

"ike dynamic esp" will use the system's hostname as the fqdn source id
(instead of the ip address) by default and enable dpd (dead peer
detection) to allow smooth reconnects after an ip address change (i.e.
forced reconnect with consumer adsl lines).

ok hshoexer@, looks fine markus@, jmc@

initialize authtype->string in case of RSA to avoid bad free()
ok reyk@ hshoexer@

wrap long lines (no binary change)

add support for pre-shared keys with "ike esp" using the new keyword
"psk". rsa-sig is recommended and will still be used by default.

ok hshoexer@, manpage ok jmc@

Correctly copy interface names; fixes breakage noticed by naddy@

ok naddy@
cvs: ----------------------------------------------------------------------

ipip support: ip-in-ip w/o gif(4); ok hshoexer

spacing

sanity check constraints for transforms.
ok deraadt@

truly permit auth/enc/comp expressions to be in any order
hshoexer will add back in the contraint language

allow specficiation of encryption and authentication algorithms to be swapped.
Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are
valid.

Remove old-style keyed sha1/md5. We only support hmac-sha1/md5.
Noticed the hard way by <raff at brodewicz dot pl>

spacing

add support for interface names as host specifications

permit TO/FROM to be swapped (symmetry is good); ok hshoexermk

simplify TAILQ walking code; ok hshoexer

spacing

do not stat() before open(); instead -- use fstat(); ok hshoexer

handle transport/tunnel mode

Improved address and address mask handling, derived from pfctl stuff.

better handling of ip addresses, prepare for v6. Partially derived from diff
by todd@. Work in progress.

prepare for more flexible hostname resolver. Right now just v4, more to come
(if groups, v6, dns).

add support for ipcomp.

more error message cleanup

Prepare for better host specification parser: dns names, interfaces, etc. But
for now, just ipv4. Derived from pfctl(8).

Unset debug flag.

Add keyword "any" for addresses, reduces to "0.0.0.0/0".

cleanup messages generated by err(3)

Teach ipsecctl to control isakmpd.

ok deraadt

more useful error message

Rewrite handling of transforms. Now both ah and esp can be specified and
validated correctly. Unbreaks ah.

Correct keysize for 3des-cbc

add crypto transforms and static keying rules

prepare for static keying

more key handling stuff.

prepare for authentication and encryption keys, not used yet.

simplify a bit.

Make use of struct ipsec_auth dynamic.
Do not pass IDs to kernel when deleting flows.

use correct function names in error messages

prepare for combining SAs and flows in one single rule, no functional change
yet.

add automatic creation of reverse SAs.

A tcpmd5 rule like:
tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \
key 0xbeefdead:0xdeadbeef
expands now to:
tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead
tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef

prepare for specifying both in and out key, not used yet.

prepare for specifying incoming and outgoing SPIs, not used yet.

allow reading key from a file

it's ok to not specify the key when deleting a tcpmd5 SA

add support tcpmd5

set flow type (use, require, etc.) when a rule is created. Up to now this was
done while crafting the corresponding pfkey message.

add type for rules; will need this for tcpmd5

do not swap srcid/dstid for INOUT rules.

use bzero

fix cvs id tags

Add ipsecctl utility, work in progress

ok deraadt

After deleting hifn(4) the only provider for the LZS compression
algorithm is gone. Reomve all LZS references from the tree. The
v42bis in isakmpd also looks unsupported.
OK mvs@ patrick@ sthen@

Don't declare variables as "unsigned char *" that are passed to
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.

For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.

With help from millert@
ok benno@ deraadt@

getifaddrs() can return entries where ifa_addr is NULL. Check for this
before accessing anything in ifa_addr.
ok claudio@

Extend the ipsecctl(8) parser to set the udpencap flag and port
number of an SA. This will be useful to test IPsec with NAT-T.
OK sthen@ tobhe@

Fix file descriptor leak due to popfile() never closing the main config file.

The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))

ok bluhm@

(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno

sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@

- odd condition/test in PF lexer
(and other lexers too)

This commit rectifies earlier change:

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).

OK deraadt@, OK millert@

Do for most running out of memory err() what was done for most running
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.

ok henning@

No need to mention which memory allocation entry point failed (malloc,
calloc or strdup), we just need to log that we ran out of memory in a
particular function.

Recommended by florian@ and deraadt@

ok benno@ henning@ tb@

Be consistent in warn() and log_warn() usage when
running out of memory.

Next step, be correct *and* consistent.

ok dennis@ tb@ benno@ schwarze@

Plug leak in error case of the common 'varset' implementations.

ok benno@

Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.

ok visa@, markus@

Rename all SA groups to bundles consistently. The first kernel
commit in 2000 that introduced the features already called them SA
bundles. The word group is taken by Diffie-Hellman, reusing it
causes confusion.
OK hshoexer@

Up to now ipsecctl(8) grouped SAs with identical src and dst to the
flow which the first SA matched by the flow type. This behaviour
was mostly undocumented and unexpected. Make SA bundles explicit
in ipsec.conf(5). Only group SAs that have the same src and dst
and also the same bundle identifier.
OK hshoexer@

Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ
with more modern TAILQ_FOREACH(). This what symget() was already
doing.

Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().

No intentional functional change.

ok bluhm@ otto@

do not allow whitespace in macro names, i.e. "this is" = "a variable".
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.

feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Don't allow embedded nul characters in strings.
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.

pfctl parse.y patch from and ok deraadt@

Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format
characters.

ok sthen@ naddy@ markus@

relax the cfg file secrecy check slightly to allow group readability
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian

use u_char for buffers in yylex, for ctype calls
found by millert@, ok deraadt@

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

Rename "life" to "lifetime" to match iked.

ok mikeb naddy sthen; procedures ok henning

Disallow manual security associations that use AES-CTR, AES-GCM,
or AES-GMAC. These algorithms cannot be used safely with static
keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.

Also include a tweak (with jmc@) to the key size explanation, for
completeness sake.

ok mikeb@

copy&paste mistake in error message

enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP
ok mikeb@

unsigned long should use "%lu" format; from eric lax, thanks

For non-crypted flows (such as ipcomp and ipip), default their
type (if not specified) to "use" instead of "require".
(since they will not get a key...)
ok mikeb claudio

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.

Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC
(as aes-gmac) encryption transformations in the ipsec.conf(5).

Available "enc" arguments denoting use of

1) AES-GCM-16:

aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)

2) ENCR_NULL_AUTH_AES_GMAC:

aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)

Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).

Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.

Example configuration:

ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa

Thoroughly tested by me and naddy. Works fine with Linux.

Requires updated pfkeyv2.h include file.

OK naddy

fix linecount bug with comments spanning multiple lines
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?

Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' ->
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.

Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.

ok hshoexer@ markus@ todd@

Fixed memory leaks which would occur if the second of two memory
allocations fails.

looks right deraadt, krw
ok henning

If the "peer" address is not specified or derived from "to" for
"ike" rules in ipsec.conf, the default peer is used. In theory
ipsecctl -f ipsec.conf can configure the default peer for each "ike"
entry. As isakmpd only supports one default peer, the last "ike"
rule that uses a default peer wins. This configuration is then
significant for all "ike" rules that use the default peer.

Now a warning is printed if a later rule in ipsec.conf changes the
configuration of the original default peer. This should be an error
but that would break existing user configs. So only a warning is
printed.

ok hshoexer@, todd@

After checking that peer == NULL do not assign peer = NULL a few
lines later. No functional change.

ok grunk@, hshoexer@

Allow to specify ike and flow explicitly without peer. The any
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.

tested by grunk@, todd@, ok grunk@, hshoexer@, todd@

Add support to isakmpd(8) and ipsecctl(8) to install SA's with a
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@

When parsing v4 addresses mark them as network addresses
(IPV4_ADDR_SUBNET) when they contain a '/'.

This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding
"/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other
IKE implementations.

From Mitja Muzenic <mitja at muzenic dot net>, thanks!

Idea supported by markus@ and jdixon@.

findeol() fix from pfctl

If a rules contains a hostname instead of an address, use the list
of all possible addresses from DNS and not only the first one. So
during expansion, the right address family can be chosen and
regression test ike56 passes again. There localhost resolves to
127.0.0.1 and ::1.
ok hshoexer

If multiple to addresses but no peer are given in an ike or flow
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer

Move ike and flow peer selection to common function.
No functional change yet.
ok hshoexer

trivial code simplification
tested and ok hshoexer, grunk

add support for the "include" directive using code from pfctl/parse.y.

pointed out by Prabhu Gurumurthy

ok deraadt@

Support for specifying aes-{128,192,256}. Originial idea by Prabhu
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!

ok todd@

Remove space/tab compression function from lgetc() and replace
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@

sync with daemon parser code.
ok deraadt@

Allow '=' to end a number in all lexers.
Requested and OK deraadt@

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr

in all these programs using the same pfctl-derived parse.y, re-unify the
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.

next step in the yylex unification: handle quoted strings in a nicer fashion
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others

Here too: Add support to the lex for parsing number out of the stream.
handle this in the parser. better range checks.

with and ok deraadt@

duplicate strdup; ok hshoexer

allow proto esp/ah in flow specification (especially useful for bypass flows)
ok hshoexer, mpf

Do not crash when lists include the "any" keyword. Reported by
<ralf.horstmann at gmx.net>, thanks!

Slightly different fix. Also add a regression test.

ok mpf@

move autodetection of the ID type to the parser. this way the
static flows have the correct ID, too. ok hshoexer, reyk

Really, we don't need two grp18's ;-)
ok hshoexer@ and markus@

Bits for ESP+NULL encryption. This is useful, when AH can not be
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk
at gmail.com>, thanks!

ok markus@

undo previous commit and keep the original behaviour of the parser.

asked for by deraadt@

Do not accept '\n' in quoted strings. Addresses issues noticed by
Prabhu Gurumurthy <pgurumu () gmail ! com>
(http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2),
thanks!

ok markus@ cloder@ (uhm, quite some time ago)

allow rule if there is at least _one_ matching address family combination.
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address.
ok itojun@, hshoexer@

don't pass -1 as a netmask; report vicviq at gmail.com

better support for IPv6 hostname/numeric representation.
hostname/prefixlen works only for IPv4-only hostname.
markus ok (regress tested)

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

Handle rules with addresses from mismatched address families correctly.

ok msf@

check both rule sourace and destination when grouping sa's

fixes PR5262

ok hshoexer@

Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.

Add support for aggressive mode (from the k2k6 IPsec hackathon).

ok hshoexer