gmtime(3) / locatime(3) can fail when timestamps are way off.

Add missing error checks to all calls under sbin/

Input & OK millert

After deleting hifn(4) the only provider for the LZS compression
algorithm is gone. Reomve all LZS references from the tree. The
v42bis in isakmpd also looks unsupported.
OK mvs@ patrick@ sthen@

snprintf/vsnprintf return < 0 on error, rather than -1.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

Spacing, no object change.

space -> tab

No object change.

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

remove casts to time_t * which are not needed

remove excessive includes

enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP
ok mikeb@

Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0'
for chars.

Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).

Thoroughly tested by me and naddy. Works fine with Linux.

Require

Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).

Thoroughly tested by me and naddy. Works fine with Linux.

Requires updated pfkeyv2.h include file.

ok naddy

show more ...

Allow key exchange with RSA signature authentication to work with
Cisco IOS and other initiators that only send their certs in response
to CERT_REQUEST.

With input and help from cloder@, Stuart Hend

Allow key exchange with RSA signature authentication to work with
Cisco IOS and other initiators that only send their certs in response
to CERT_REQUEST.

With input and help from cloder@, Stuart Henderson, mpf@, and several
others who did lots of testing - thanks to all.

ok hshoexer@

show more ...

There's no point in checking ptr for NULL before doing free(ptr)
since free(NULL) is just fine.

ok hshoexer@

keynote_cert_obtain should not leak in case of error. OK moritz@

Do not leak file descriptor in error path. From Andrey Matveev
<evol at online dot ptt dot ru>, thanks!

use snprintf; ok cloder. also looked at by a few other people

add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947

ok markus

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Als

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Also xref certpatch(8) while
we are in there. And remove some include sysdep.h where it is no longer
needed.
OK hshoexer

show more ...

we have IPPROTO_ETHERIP

nat-traversal always

knf, ok cloder

spacing; ok cloder

handle return value of snprintf more carefully

ok cloder ho

where possible, use bzero instead of memset

ok cloder henning