Use clock_gettime(CLOCK_MONOTONIC) to schedule timers

From Scott Cheloha, ok tb@

Remove a mid-layer which acts like arc4random isn't fairly standard.
ok mikeb

regrand can die, from millert

improve randomization. remove some junk debugging features that are
fundamentally broken.
ok jsing mikeb

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
i

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

show more ...

remove some unused functions and an unused variable found by lint.

ok markus@

Add a new raw2hex function and yank out several pieces of code in other
places that were doing this. Prodding deraadt. OK hshoexer.

output some more information on UI command "S"

ok ho@

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Als

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Also xref certpatch(8) while
we are in there. And remove some include sysdep.h where it is no longer
needed.
OK hshoexer

show more ...

remove dead code, noted by ho@

remove unused function udp_decode_port(), add modified version as text2port() to
utilities.

ok cloder ho

Allow the Address, Network, or Netmask values of the <IPsec-ID> to be
specified with an interface name (in which case the first address is used)
or the keyword 'default' (in which case the address is

Allow the Address, Network, or Netmask values of the <IPsec-ID> to be
specified with an interface name (in which case the first address is used)
or the keyword 'default' (in which case the address is selected based on the
default route). eg:

[roadwarrior-ip]
ID-type= IPV4_ADDR
Address= default

ok ho@ hshoexer@

show more ...

Avoid stat before open. Do open and fstat instead.
Remove check_file_secrecy() as it is obsoleted be check_file_secrecy_fd().

ok ho@

NAT-Traversal for isakmpd. Work in progress...
hshoexer@ ok.

stat before open is flawed

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our standard
auditing process. ok ho hshoexer

show more ...

Fix payload handling flaws found by cloder@. Based on initial patch by
cloder@. Testing by markus@ cloder@ hshoexer@.

ok ho@

Log the actual port for src and dst, don't assume it's always 500.

Remove clauses 3 and 4. With approval from Niklas Hallqvist and
Niels Provos.

off_t to size_t change for printf format and malloc. Pointed out by <greg@nest.cx>

Just rename sockaddr_data/len functions to sockaddr_addrdata/addrlen.

Alphabeticize extern decls.

Add prototypes and some other various cleanup.

strict strtol checking. text2sockaddr/sockaddr2text implementations
for systems without get{addr,name}info calls. Some style police.

Initial IPv6 support. (niklas@ ok)