Bits for ESP+NULL encryption. This is useful, when AH can not be

used (when being behind NAT).  With Martin Hedenfalk <martin.hedenfalk
at gmail.com>, thanks!

ok markus@

2 files changed, 7 insertions, 4 deletions

diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index 62a628571d3..0a7b579be63 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ike.c,v 1.59 2006/12/18 00:08:04 msf Exp $	*/
+/*	$OpenBSD: ike.c,v 1.60 2007/02/19 09:00:46 hshoexer Exp $	*/
 /*
  * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -254,6 +254,9 @@ ike_section_p2(struct ipsec_rule *r, FILE *fd)
 			case ENCXF_CAST128:
 				fprintf(fd, "CAST");
 				break;
+			case ENCXF_NULL:
+				fprintf(fd, "NULL");
+				break;
 			default:
 				warnx("illegal transform %s",
 				    r->p2xfs->encxf->name);
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index c15d9a07a13..af15c94214f 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.119 2007/02/19 08:29:30 hshoexer Exp $	*/
+/*	$OpenBSD: parse.y,v 1.120 2007/02/19 09:00:46 hshoexer Exp $	*/
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -1991,11 +1991,11 @@ validate_sa(u_int32_t spi, u_int8_t satype, struct ipsec_transforms *xfs,
 		return (0);
 	}
 	if (xfs && xfs->authxf) {
-		if (!authkey) {
+		if (!authkey && xfs->authxf != &authxfs[AUTHXF_NONE]) {
 			yyerror("no authentication key specified");
 			return (0);
 		}
-		if (authkey->len != xfs->authxf->keymin) {
+		if (authkey && authkey->len != xfs->authxf->keymin) {
 			yyerror("wrong authentication key length, needs to be "
 			    "%d bits", xfs->authxf->keymin * 8);
 			return (0);