-consistently use "char *" for the compiled policy buffer in the

ipsec_*_policy() functions, as it was documented and used by clients
-remove "ipsec_policy_t" which was undocumented and only present
 in the KAME version of the ipsec.h header
-misc cleanup of historical artefacts, and to remove unnecessary
 differences between KAME ans FAST_IPSEC

crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3

@@ -1,4 +1,4 @@
-.\"	$NetBSD: ipsec_set_policy.3,v 1.15 2010/03/05 06:47:58 tteras Exp $
+.\"	$NetBSD: ipsec_set_policy.3,v 1.16 2012/01/04 15:55:35 drochner Exp $
 .\"
 .\"	$KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
 .\"
@@ -43,11 +43,11 @@
 .Sh SYNOPSIS
 .In netinet6/ipsec.h
 .Ft "char *"
-.Fn ipsec_set_policy "char *policy" "int len"
+.Fn ipsec_set_policy "const char *policy" "int len"
 .Ft int
 .Fn ipsec_get_policylen "char *buf"
 .Ft "char *"
-.Fn ipsec_dump_policy "char *buf" "char *delim"
+.Fn ipsec_dump_policy "char *buf" "const char *delim"
 .Sh DESCRIPTION
 .Fn ipsec_set_policy
 generates an IPsec policy specification structure, namely

crypto/dist/ipsec-tools/src/libipsec/libpfkey.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: libpfkey.h,v 1.18 2010/12/03 14:32:52 tteras Exp $	*/
+/*	$NetBSD: libpfkey.h,v 1.19 2012/01/04 15:55:35 drochner Exp $	*/
 
 /* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */
 
@@ -59,7 +59,11 @@ struct sadb_alg;
 
 #ifndef HAVE_IPSEC_POLICY_T
 typedef caddr_t ipsec_policy_t;
+#ifdef __NetBSD__
+#define __ipsec_const const
+#else
 #define __ipsec_const
+#endif
 #else
 #define __ipsec_const const
 #endif

crypto/dist/ipsec-tools/src/libipsec/policy_token.l

@@ -1,4 +1,4 @@
-/*	$NetBSD: policy_token.l,v 1.7 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: policy_token.l,v 1.8 2012/01/04 15:55:35 drochner Exp $	*/
 
 /* Id: policy_token.l,v 1.12 2005/05/05 12:32:18 manubsd Exp */
 
@@ -64,6 +64,7 @@ int yylex __P((void));
 
 %option noyywrap
 %option nounput
+%option noinput
 
 /* common section */
 nl		\n

lib/libipsec/Makefile

@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.17 2007/05/28 12:06:19 tls Exp $
+# $NetBSD: Makefile,v 1.18 2012/01/04 15:55:36 drochner Exp $
 
 USE_FORT?= yes	# network protocol library
 
@@ -10,8 +10,7 @@ WARNS=	0	# Will be fixed later
 DIST=	${NETBSDSRCDIR}/crypto/dist/ipsec-tools
 LIB=	ipsec
 CPPFLAGS+= -I${DIST}/src/libipsec -I. -DHAVE_CONFIG_H
-CPPFLAGS+= -DIPSEC_DEBUG -I${.CURDIR} -I${NETBSDSRCDIR}/sys
+CPPFLAGS+= -DIPSEC_DEBUG -I${.CURDIR}
-CPPFLAGS+= -DSADB_X_EALG_AESCBC=SADB_X_EALG_AES
 # Don't worry about argument promotion for now.
 LINTFLAGS+=     -X 58
 

lib/libipsec/config.h

@@ -75,7 +75,7 @@
 #define HAVE_INTTYPES_H 1
 
 /* Have ipsec_policy_t */
-#define HAVE_IPSEC_POLICY_T
+/* #undef HAVE_IPSEC_POLICY_T */
 
 /* Hybrid authentication uses PAM */
 /* NetBSD build: -DHAVE_LIBPAM is already supplied on the command line */

sbin/ping6/ping6.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ping6.c,v 1.78 2011/09/16 16:13:18 plunky Exp $	*/
+/*	$NetBSD: ping6.c,v 1.79 2012/01/04 15:55:36 drochner Exp $	*/
 /*	$KAME: ping6.c,v 1.164 2002/11/16 14:05:37 itojun Exp $	*/
 
 /*
@@ -77,7 +77,7 @@ static char sccsid[] = "@(#)ping.c	8.1 (Berkeley) 6/5/93";
 #else
 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: ping6.c,v 1.78 2011/09/16 16:13:18 plunky Exp $");
+__RCSID("$NetBSD: ping6.c,v 1.79 2012/01/04 15:55:36 drochner Exp $");
 #endif
 #endif
 
@@ -132,7 +132,7 @@ __RCSID("$NetBSD: ping6.c,v 1.78 2011/09/16 16:13:18 plunky Exp $");
 #include <poll.h>
 
 #ifdef IPSEC
-#include <netinet6/ah.h>
+#include <netinet/ip6.h>
 #include <netinet6/ipsec.h>
 #endif
 
@@ -2446,8 +2446,8 @@ pr_retip(struct ip6_hdr *ip6, u_char *end)
 #ifdef IPSEC
 		case IPPROTO_AH:
 			printf("AH ");
-			hlen = (((struct ah *)cp)->ah_len+2) << 2;
+			hlen = (((struct ip6_ext *)cp)->ip6e_len+2) << 2;
-			nh = ((struct ah *)cp)->ah_nxt;
+			nh = ((struct ip6_ext *)cp)->ip6e_nxt;
 			break;
 #endif
 		case IPPROTO_ICMPV6:

sbin/setkey/Makefile

@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.12 2009/10/29 14:34:06 christos Exp $
+# $NetBSD: Makefile,v 1.13 2012/01/04 15:55:36 drochner Exp $
 
 WARNS?=	3	# XXX: sign-compare issues
 
@@ -15,7 +15,6 @@ DIST=	${NETBSDSRCDIR}/crypto/dist/ipsec-tools
 CPPFLAGS+= -I${DIST}/src/setkey -I${DIST}/src/libipsec
 CPPFLAGS+= -I${NETBSDSRCDIR}/lib/libipsec -I.
 CPPFLAGS+= -DIPSEC_DEBUG -DHAVE_CONFIG_H
-CPPFLAGS+= -DSADB_X_EALG_AESCBC=SADB_X_EALG_AES
 
 LDADD+= -ll -ly -lipsec
 DPADD+=	${LIBL} ${LIBY} ${LIBIPSEC}

sys/netinet6/Makefile

@@ -1,10 +1,13 @@
-#	$NetBSD: Makefile,v 1.6 2002/11/26 23:30:33 lukem Exp $
+#	$NetBSD: Makefile,v 1.7 2012/01/04 15:55:36 drochner Exp $
 
 INCSDIR= /usr/include/netinet6
 
-INCS=	ah.h esp.h in6.h in6_gif.h in6_ifattach.h in6_pcb.h \
+INCS=	in6.h in6_gif.h in6_ifattach.h in6_pcb.h \
 	in6_var.h ip6_mroute.h ip6_var.h ip6protosw.h \
-	ipcomp.h ipsec.h mld6_var.h nd6.h pim6.h pim6_var.h \
+	mld6_var.h nd6.h pim6.h pim6_var.h \
 	raw_ip6.h udp6.h udp6_var.h
+INCS+=	ipsec.h
+# XXX ah.h is used by ping6, rest unneeded
+INCS+=	ah.h esp.h ipcomp.h
 
 .include <bsd.kinc.mk>

sys/netinet6/ipsec.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.51 2009/05/06 21:41:59 elad Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.52 2012/01/04 15:55:36 drochner Exp $	*/
 /*	$KAME: ipsec.h,v 1.51 2001/08/05 04:52:58 itojun Exp $	*/
 
 /*
@@ -447,10 +447,9 @@ extern int ipsec6_sysctl(int *, u_int, void *, size_t *, void *, size_t);
 #endif /* _KERNEL */
 
 #ifndef _KERNEL
-typedef void *ipsec_policy_t;
+extern char *ipsec_set_policy(const char *, int);
-extern ipsec_policy_t ipsec_set_policy(const char *, int);
+extern int ipsec_get_policylen(char *);
-extern int ipsec_get_policylen(ipsec_policy_t);
+extern char *ipsec_dump_policy(char *, const char *);
-extern char *ipsec_dump_policy(ipsec_policy_t, const char *);
 
 extern const char *ipsec_strerror(void);
 #endif /* !_KERNEL */

sys/netipsec/Makefile

@@ -1,8 +1,10 @@
-#	$NetBSD: Makefile,v 1.2 2005/12/11 12:25:05 christos Exp $
+#	$NetBSD: Makefile,v 1.3 2012/01/04 15:55:36 drochner Exp $
 
 INCSDIR= /usr/include/netipsec
 
 INCS=	ah_var.h  esp_var.h ipcomp_var.h ipip_var.h ipsec_var.h \
 	keydb.h
+# notyet
+#INCS+=	ipsec.h
 
 .include <bsd.kinc.mk>

sys/netipsec/ipsec.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.29 2011/06/09 19:54:18 drochner Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.30 2012/01/04 15:55:36 drochner Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -44,11 +44,12 @@
 #endif
 
 #include <net/pfkeyv2.h>
-#include <netipsec/ipsec_osdep.h>
 #include <netipsec/keydb.h>
 
 #ifdef _KERNEL
 
+#include <netipsec/ipsec_osdep.h>
+
 /*
  * Security Policy Index
  * Ensure that both address families in the "src" and "dst" are same.
@@ -352,9 +353,9 @@ int ipsec_clear_socket_cache(struct mbuf *m)
 #endif /* _KERNEL */
 
 #ifndef _KERNEL
-void *ipsec_set_policy (char *, int);
+char *ipsec_set_policy (const char *, int);
-int ipsec_get_policylen (void *);
+int ipsec_get_policylen (char *);
-char *ipsec_dump_policy (void *, char *);
+char *ipsec_dump_policy (char *, const char *);
 
 const char *ipsec_strerror (void);
 #endif /* !_KERNEL */

usr.sbin/racoon/Makefile

@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.23 2011/05/30 14:41:27 joerg Exp $
+# $NetBSD: Makefile,v 1.24 2012/01/04 15:55:36 drochner Exp $
 
 WARNS?=	0	# XXX third-party program, many issues
 NOCLANGERROR=	# defined
@@ -30,7 +30,6 @@ CPPFLAGS+= -I${NETBSDSRCDIR}/lib/libipsec -I.
 CPPFLAGS+= -DIPSEC_DEBUG -DHAVE_CONFIG_H
 CPPFLAGS+= -DADMINPORTDIR=\"/var/run\"
 CPPFLAGS+= -DSYSCONFDIR=\"/etc/racoon\"
-CPPFLAGS+= -DSADB_X_EALG_AESCBC=SADB_X_EALG_AES
 
 LDADD+= -ll -ly -lipsec -lutil
 DPADD+= ${LIBL} ${LIBY} ${LIBCRYPTO} ${LIBUTIL}