4 files changed, 294 insertions, 97 deletions

diff --git a/sys/net/encap.c b/sys/net/encap.c
index 11c44a79561..9e0845f098b 100644
--- a/sys/net/encap.c
+++ b/sys/net/encap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: encap.c,v 1.7 1997/07/02 06:58:40 provos Exp $	*/
+/*	$OpenBSD: encap.c,v 1.8 1997/07/11 23:37:51 provos Exp $	*/
 
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
@@ -32,6 +32,8 @@
 #include <sys/domain.h>
 #include <sys/protosw.h>
 #include <sys/ioctl.h>
+#include <vm/vm.h>
+#include <sys/sysctl.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -46,14 +48,13 @@
 #include <netinet/ip_ipsp.h>
 #include <netinet/ip_ip4.h>
 
-extern struct ifnet loif;
-
-extern int ipspkernfs_dirty;
+#include <sys/syslog.h>
 
 void encap_init(void);
 int encap_output __P((struct mbuf *, ...));
 int encap_usrreq(struct socket *, int, struct mbuf *, struct mbuf *, 
 		 struct mbuf *);
+int encap_sysctl(int *, u_int, void *, size_t *, void *, size_t);
 
 extern int tdb_init(struct tdb *, struct mbuf *);
 
@@ -68,15 +69,38 @@ struct protosw encapsw[] = {
       raw_input,	encap_output,	raw_ctlinput,	0,
       encap_usrreq,
       encap_init,	0,		0,		0,
+      encap_sysctl
     },
 };
 
 struct domain encapdomain =
 { AF_ENCAP, "encapsulation", 0, 0, 0, 
-  encapsw, &encapsw[sizeof(encapsw)/sizeof(encapsw[0])], 0,
+  encapsw, &encapsw[sizeof(encapsw) / sizeof(encapsw[0])], 0,
   rn_inithead, 16, sizeof(struct sockaddr_encap)};
 
 
+/*
+ * Sysctl for encap variables
+ */
+int
+encap_sysctl(int *name, u_int namelen, void *oldp, size_t *oldplenp, 
+	     void *newp, size_t newlen)
+{
+    /* All sysctl names at this level are terminal */
+    if (namelen != 1)
+      return ENOTDIR;
+
+    switch (name[0]) 
+    {
+        case IPSECCTL_ENCDEBUG:
+	    return (sysctl_int(oldp, oldplenp, newp, newlen, &encdebug));
+
+	default:
+	    return ENOPROTOOPT;
+    }
+    /* Not reached */
+}
+
 void
 encap_init()
 {
@@ -84,7 +108,7 @@ encap_init()
     
     for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++)
     {
-	printf("encap_init: attaching <%s>\n", xsp->xf_name);
+	log(LOG_INFO, "encap_init(): attaching <%s>\n", xsp->xf_name);
 	(*(xsp->xf_attach))();
     }
 }
@@ -101,7 +125,10 @@ encap_usrreq(register struct socket *so, int req, struct mbuf *m,
     if (req == PRU_ATTACH)
     {
 	MALLOC(rp, struct rawcb *, sizeof(*rp), M_PCB, M_WAITOK);
-	if ((so->so_pcb = (caddr_t)rp))
+        if (rp == (struct rawcb *) NULL)
+	  return ENOBUFS;
+
+	if ((so->so_pcb = (caddr_t) rp))
 	  bzero(so->so_pcb, sizeof(*rp));
     }
 
@@ -114,7 +141,7 @@ encap_usrreq(register struct socket *so, int req, struct mbuf *m,
 	
 	if (error)
 	{
-	    free((caddr_t)rp, M_PCB);
+	    free((caddr_t) rp, M_PCB);
 	    splx(s);
 	    return error;
 	}
@@ -136,14 +163,16 @@ va_dcl
 #endif
 {
 #define SENDERR(e) do { error = e; goto flush;} while (0)
+    struct sockaddr_encap encapdst, encapgw, encapnetmask;
     int len, emlen, error = 0;
     struct encap_msghdr *emp;
     struct tdb *tdbp, *tdbp2;
     caddr_t buffer = 0;
     struct socket *so;
+    struct flow *flow;
     u_int32_t spi;
     va_list ap;
-    
+
     va_start(ap, m);
     so = va_arg(ap, struct socket *);
     va_end(ap);
@@ -153,7 +182,7 @@ va_dcl
       return ENOBUFS;
 
     if ((m->m_flags & M_PKTHDR) == 0)
-      panic("encap_output");
+      panic("encap_output()");
 
     len = m->m_pkthdr.len; 
 
@@ -191,28 +220,24 @@ va_dcl
 		(emp->em_odst.s_addr != 0))
 	      SENDERR(EINVAL);	    
 
-	    tdbp = gettdb(emp->em_spi, emp->em_dst);
+	    tdbp = gettdb(emp->em_spi, emp->em_dst, emp->em_sproto);
 	    if (tdbp == NULL)
 	    {
-		MALLOC(tdbp, struct tdb *, sizeof (*tdbp), M_TDB, M_WAITOK);
+		MALLOC(tdbp, struct tdb *, sizeof(*tdbp), M_TDB, M_WAITOK);
 		if (tdbp == NULL)
 		  SENDERR(ENOBUFS);
 		
-		bzero((caddr_t)tdbp, sizeof(*tdbp));
+		bzero((caddr_t) tdbp, sizeof(*tdbp));
 		
 		tdbp->tdb_spi = emp->em_spi;
 		tdbp->tdb_dst = emp->em_dst;
-
+		tdbp->tdb_sproto = emp->em_sproto;
 		puttdb(tdbp);
 	    }
 	    else
 	      if (tdbp->tdb_xform)
 	        (*tdbp->tdb_xform->xf_zeroize)(tdbp);
 	    
-	    tdbp->tdb_proto = emp->em_proto;
-	    tdbp->tdb_sport = emp->em_sport;
-	    tdbp->tdb_dport = emp->em_dport;
-
 	    tdbp->tdb_src = emp->em_src;
 
 	    /* Check if this is an encapsulating SPI */
@@ -308,15 +333,13 @@ va_dcl
 	    if (error)
 	      SENDERR(EINVAL);
 	    
-	    ipspkernfs_dirty = 1;
-
 	    break;
 		
 	case EMT_DELSPI:
 	    if (emlen != EMT_DELSPI_FLEN)
 	      SENDERR(EINVAL);
 	    
-	    tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst);
+	    tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst, emp->em_gen_sproto);
 	    if (tdbp == NULL)
 	      SENDERR(ENOENT);
 	    
@@ -330,7 +353,7 @@ va_dcl
 	    if (emlen != EMT_DELSPICHAIN_FLEN)
 	      SENDERR(EINVAL);
 
-	    tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst);
+	    tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst, emp->em_gen_sproto);
 	    if (tdbp == NULL)
 	      SENDERR(ENOENT);
 	    
@@ -344,26 +367,28 @@ va_dcl
 	    if (emlen != EMT_GRPSPIS_FLEN)
 	      SENDERR(EINVAL);
 	    
-	    tdbp = gettdb(emp->em_rel_spi, emp->em_rel_dst);
+	    tdbp = gettdb(emp->em_rel_spi, emp->em_rel_dst, emp->em_rel_sproto);
 	    if (tdbp == NULL)
 	      SENDERR(ENOENT);
 
-	    tdbp2 = gettdb(emp->em_rel_spi2, emp->em_rel_dst2);
+	    tdbp2 = gettdb(emp->em_rel_spi2, emp->em_rel_dst2,
+			   emp->em_rel_sproto2);
 	    if (tdbp2 == NULL)
 	      SENDERR(ENOENT);
 	    
 	    tdbp->tdb_onext = tdbp2;
 	    tdbp2->tdb_inext = tdbp;
 	    
-	    ipspkernfs_dirty = 1;
 	    error = 0;
+
 	    break;
 
 	case EMT_RESERVESPI:
 	    if (emlen != EMT_RESERVESPI_FLEN)
 	      SENDERR(EINVAL);
 	    
-	    spi = reserve_spi(emp->em_gen_spi, emp->em_gen_dst, &error);
+	    spi = reserve_spi(emp->em_gen_spi, emp->em_gen_dst, 
+			      emp->em_gen_sproto, &error);
 	    if (spi == 0)
 	      SENDERR(error);
 
@@ -384,40 +409,174 @@ va_dcl
 	    
 	    break;
 	    
-	case EMT_ENABLESPI:
-	    if (emlen != EMT_ENABLESPI_FLEN)
+	case EMT_VALIDATE:
+	    if (emlen != EMT_VALIDATE_FLEN)
 	      SENDERR(EINVAL);
 	    
-	    tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst);
+	    tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst, emp->em_gen_sproto);
 	    if (tdbp == NULL)
 	      SENDERR(ENOENT);
 
 	    /* Clear the INVALID flag */
 	    tdbp->tdb_flags &= (~TDBF_INVALID);
 
-	    /* XXX Install a routing entry */
-
 	    error = 0;
 
 	    break;
 	    
-	case EMT_DISABLESPI:
-	    if (emlen != EMT_DISABLESPI_FLEN)
+	case EMT_INVALIDATE:
+	    if (emlen != EMT_INVALIDATE_FLEN)
 	      SENDERR(EINVAL);
 	    
-	    tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst);
+	    tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst, emp->em_gen_sproto);
 	    if (tdbp == NULL)
 	      SENDERR(ENOENT);
 	    
 	    /* Set the INVALID flag */
 	    tdbp->tdb_flags |= TDBF_INVALID;
 
-	    /* XXX Delete a routing entry, if on exists */
-
 	    error = 0;
 	    
 	    break;
 
+	case EMT_ENABLESPI:
+	    if (emlen != EMT_ENABLESPI_FLEN)
+	      SENDERR(EINVAL);
+
+            tdbp = gettdb(emp->em_ena_spi, emp->em_ena_dst, emp->em_ena_sproto);
+            if (tdbp == NULL)
+              SENDERR(ENOENT);
+
+	    flow = find_flow(emp->em_ena_isrc, emp->em_ena_ismask,
+			     emp->em_ena_idst, emp->em_ena_idmask,
+			     emp->em_ena_protocol, emp->em_ena_sport,
+			     emp->em_ena_dport, tdbp);
+	    if (flow != (struct flow *) NULL)
+	      SENDERR(EEXIST);
+
+	    flow = get_flow();
+	    if (flow == (struct flow *) NULL)
+	      SENDERR(ENOBUFS);
+
+	    flow->flow_src.s_addr = emp->em_ena_isrc.s_addr;
+	    flow->flow_dst.s_addr = emp->em_ena_idst.s_addr;
+	    flow->flow_srcmask.s_addr = emp->em_ena_ismask.s_addr;
+	    flow->flow_dstmask.s_addr = emp->em_ena_idmask.s_addr;
+	    flow->flow_proto = emp->em_ena_protocol;
+	    flow->flow_sport = emp->em_ena_sport;
+	    flow->flow_dport = emp->em_ena_dport;
+
+	    put_flow(flow, tdbp);
+
+	    /* Setup the encap fields */
+	    encapdst.sen_len = SENT_IP4_LEN;
+	    encapdst.sen_family = AF_ENCAP;
+	    encapdst.sen_type = SENT_IP4;
+	    encapdst.sen_ip_src.s_addr = flow->flow_src.s_addr;
+	    encapdst.sen_ip_dst.s_addr = flow->flow_dst.s_addr;
+	    encapdst.sen_proto = flow->flow_proto;
+	    encapdst.sen_sport = flow->flow_sport;
+	    encapdst.sen_dport = flow->flow_dport;
+
+	    encapgw.sen_len = SENT_IPSP_LEN;
+	    encapgw.sen_family = AF_ENCAP;
+	    encapgw.sen_type = SENT_IPSP;
+	    encapgw.sen_ipsp_dst.s_addr = tdbp->tdb_dst.s_addr;
+	    encapgw.sen_ipsp_spi = tdbp->tdb_spi;
+
+	    encapnetmask.sen_len = SENT_IP4_LEN;
+	    encapnetmask.sen_family = AF_ENCAP;
+	    encapnetmask.sen_type = SENT_IP4;
+	    encapnetmask.sen_ip_src.s_addr = flow->flow_srcmask.s_addr;
+	    encapnetmask.sen_ip_dst.s_addr = flow->flow_dstmask.s_addr;
+
+	    if (flow->flow_proto)
+	    {
+	        encapnetmask.sen_proto = 0xff;
+
+	    	if (flow->flow_sport)
+	      	  encapnetmask.sen_sport = 0xffff;
+
+	    	if (flow->flow_dport)
+	      	  encapnetmask.sen_dport = 0xffff;
+	    }
+
+	    /* Add the entry in the routing table */
+	    error = rtrequest(RTM_ADD, (struct sockaddr *) &encapdst,
+			      (struct sockaddr *) &encapgw,
+			      (struct sockaddr *) &encapnetmask,
+			      RTF_UP | RTF_GATEWAY | RTF_STATIC,
+			      (struct rtentry **) 0);
+	    
+	    if (error)
+	    {
+		delete_flow(flow, tdbp);
+		SENDERR(error);
+	    }
+
+	    error = 0;
+
+	    break;
+
+	case EMT_DISABLESPI:
+	    if (emlen != EMT_DISABLESPI_FLEN)
+	      SENDERR(EINVAL);
+
+            tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst, emp->em_gen_sproto);
+            if (tdbp == NULL)
+              SENDERR(ENOENT);
+
+	    flow = find_flow(emp->em_ena_isrc, emp->em_ena_ismask,
+			     emp->em_ena_idst, emp->em_ena_idmask,
+			     emp->em_ena_protocol, emp->em_ena_sport,
+			     emp->em_ena_dport, tdbp);
+	    if (flow == (struct flow *) NULL)
+	      SENDERR(ENOENT);
+
+            /* Setup the encap fields */
+            encapdst.sen_len = SENT_IP4_LEN;
+            encapdst.sen_family = AF_ENCAP;
+            encapdst.sen_type = SENT_IP4;
+            encapdst.sen_ip_src.s_addr = flow->flow_src.s_addr;
+            encapdst.sen_ip_dst.s_addr = flow->flow_dst.s_addr;
+            encapdst.sen_proto = flow->flow_proto;
+            encapdst.sen_sport = flow->flow_sport;
+            encapdst.sen_dport = flow->flow_dport;
+
+            encapgw.sen_len = SENT_IPSP_LEN;
+            encapgw.sen_family = AF_ENCAP;
+            encapgw.sen_type = SENT_IPSP;
+            encapgw.sen_ipsp_dst.s_addr = tdbp->tdb_dst.s_addr;
+            encapgw.sen_ipsp_spi = tdbp->tdb_spi;
+
+            encapnetmask.sen_len = SENT_IP4_LEN;
+            encapnetmask.sen_family = AF_ENCAP;
+            encapnetmask.sen_type = SENT_IP4;
+            encapnetmask.sen_ip_src.s_addr = flow->flow_srcmask.s_addr;
+            encapnetmask.sen_ip_dst.s_addr = flow->flow_dstmask.s_addr;
+
+            if (flow->flow_proto)
+            {
+                encapnetmask.sen_proto = 0xff;
+
+                if (flow->flow_sport)
+                  encapnetmask.sen_sport = 0xffff;
+
+                if (flow->flow_dport)
+                  encapnetmask.sen_dport = 0xffff;
+            }
+
+            /* Add the entry in the routing table */
+            error = rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst,
+			      (struct sockaddr *) &encapgw,
+			      (struct sockaddr *) &encapnetmask,
+                              RTF_UP | RTF_GATEWAY | RTF_STATIC,
+                              (struct rtentry **) 0);
+
+	    delete_flow(flow, tdbp);
+
+	    break;
+
 	case EMT_NOTIFY:
 	    if (emlen <= EMT_NOTIFY_FLEN)
 	      SENDERR(EINVAL);
diff --git a/sys/net/encap.h b/sys/net/encap.h
index e02c13aca07..81b4c40cad9 100644
--- a/sys/net/encap.h
+++ b/sys/net/encap.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: encap.h,v 1.6 1997/07/02 06:58:40 provos Exp $	*/
+/*	$OpenBSD: encap.h,v 1.7 1997/07/11 23:37:52 provos Exp $	*/
 
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
@@ -69,7 +69,8 @@ struct sockaddr_encap
 	{
 	    struct in_addr Dst;
 	    u_int32_t Spi;
-	    u_int8_t Filler[8];
+	    u_int8_t Sproto;
+	    u_int8_t Filler[7];
 	} Sipsp;
     } Sen;
 };
@@ -85,6 +86,7 @@ struct sockaddr_encap
 #define sen_dport	Sen.Sip4.Dport
 #define sen_ipsp_dst	Sen.Sipsp.Dst
 #define sen_ipsp_spi	Sen.Sipsp.Spi
+#define sen_ipsp_sproto	Sen.Sipsp.Sproto
 
 /*
  * The "type" is really part of the address as far as the routing
@@ -136,12 +138,11 @@ struct encap_msghdr
 	    int32_t        Alg;		/* Algorithm to use */
 	    struct in_addr Dst;		/* Destination address */
 	    struct in_addr Src;		/* This is used to set our source
-					 * address when doing tunneling and
-					 * the outgoing packet does not
-					 * have a source address (is zero) */
-	    struct in_addr oSrc;	/* Source... */
-	    struct in_addr oDst;	/* ...and destination in outter IP
-					 * header, if we're doing IP-in-IP */
+					 * address when the outgoing packet
+				         * does not have a source address 
+					 * (is zero). */
+	    struct in_addr oSrc;	 /* Outter header source address */
+	    struct in_addr oDst;	 /* Same, for destination address */
 	    u_int64_t      Relative_Hard; /* Expire relative to creation */
 	    u_int64_t      Relative_Soft;
 	    u_int64_t      First_Use_Hard; /* Expire relative to first use */
@@ -159,24 +160,24 @@ struct encap_msghdr
 					 * the system default TTL will be used.
 					 * If set to anything else, then the
 					 * ttl used will be TTL % 256 */
-	    u_int16_t	   Sport; 	/* Source port, if applicable */
-	    u_int16_t	   Dport;	/* Destination port, if applicable */
-  	    u_int8_t	   Proto;	/* Protocol, if applicable */
-	    u_int8_t	   foo[3];	/* Alignment */
+	    u_int8_t       Sproto;	/* ESP or AH */
+	    u_int8_t	   Foo[3];	/* Alignment */
 	    u_int8_t       Dat[1];	/* Data */
 	} Xfm;
 
 	/*
  	 * For expiration notifications, the kernel fills in
-	 * Notification_Type, Spi and Dst. No direct response is expected.
+	 * Notification_Type, Spi, Dst and Sproto. 
+  	 * No direct response is expected.
 	 *
  	 * For SA Requests, the kernel fills in
-	 * Notification_Type, MsgID, Spi, Seclevel, Dst (and optionally
+	 * Notification_Type, MsgID, Seclevel, Dst, SAType, (and optionally
 	 * Protocol, Src, Sport, Dport and UserID).
  	 *
 	 * The response should have the same values in all the fields
 	 * and:
-	 * Spi/Spi2/Spi3 will hold the SPIs for the three seclevels
+	 * Spi will hold the SPI for the three seclevels
+	 * Sproto will hold the IPsec protocol used (AH/ESP)
 	 * UserID can optionally hold the peer's UserID (if applicable)
 	 */
 	struct				/* kernel->userland notifications */
@@ -184,60 +185,93 @@ struct encap_msghdr
 	    u_int32_t      Notification_Type;
 	    u_int32_t      MsgID;	/* Request ID */
 	    u_int32_t      Spi;		
-	    u_int32_t      Spi2;
-	    u_int32_t      Spi3;
-	    u_int8_t       Seclevel[3];	/* see netinet/in_pcb.h */
-	    u_int8_t       Protocol;	/* Transport mode for which protocol */
+	    u_int32_t      SAType;	/* What do we want for this SA */
 	    struct in_addr Dst;		/* Peer */
 	    struct in_addr Src;		/* Might have our local address */
 	    u_int16_t      Sport;	/* Source port */
             u_int16_t      Dport;	/* Destination port */
+	    u_int8_t       Protocol;	/* Transport protocol */
+	    u_int8_t       Sproto;	/* IPsec protocol */
+	    u_int8_t       Foo[2];	/* Alignment */
 	    u_int8_t       UserID[1];	/* Might be used to indicate user */
 	} Notify;
 
 	/* Link two SPIs */
 	struct
 	{
-	    u_int32_t        emr_spi;	/* SPI */
-	    u_int32_t        emr_spi2;
-	    struct in_addr   emr_dst;	/* Dest */
-	    struct in_addr   emr_dst2;
+	    u_int32_t        Spi;	/* SPI */
+	    u_int32_t        Spi2;
+	    struct in_addr   Dst;	/* Dest */
+	    struct in_addr   Dst2;
+	    u_int8_t	     Sproto; 	/* IPsec protocol */
+	    u_int8_t	     Sproto2;
+	    u_int16_t	     Foo;
 	} Rel;
 
-	/* For general use */
+	/* Enable/disable an SA for a session */
+	struct
+	{
+	    u_int32_t      Spi;
+	    struct in_addr Dst;
+	    struct in_addr iSrc;	/* Source... */
+	    struct in_addr iDst;	/* ...and destination in inner IP */
+	    struct in_addr iSmask;	/* Source netmask */
+	    struct in_addr iDmask;	/* Destination netmask */
+	    u_int16_t	   Sport; 	/* Source port, if applicable */
+	    u_int16_t	   Dport;	/* Destination port, if applicable */
+	    u_int8_t       Protocol;	/* Transport mode for which protocol */
+	    u_int8_t 	   Sproto;	/* IPsec protocol */
+	    u_int8_t       Foo[2];	/* Alignment */
+	} Ena;
+
+	/* For general use: (in)validate, delete (chain), reserve */
 	struct 
 	{
-	    u_int32_t       emg_spi;
-	    struct in_addr  emg_dst;
+	    u_int32_t       Spi;
+	    struct in_addr  Dst;
+	    u_int8_t	    Sproto;
+   	    u_int8_t	    Foo[3];
 	} Gen;
     } Eu;
 };
 
-#define  NOTIFY_SOFT_EXPIRE     0	/* Soft expiration of SA */
-#define  NOTIFY_HARD_EXPIRE     1	/* Hard expiration of SA */
-#define  NOTIFY_REQUEST_SA      2	/* Establish an SA */
+#define ENCAP_MSG_FIXED_LEN    (2 * sizeof(u_int32_t))
+
+#define NOTIFY_SOFT_EXPIRE     0	/* Soft expiration of SA */
+#define NOTIFY_HARD_EXPIRE     1	/* Hard expiration of SA */
+#define NOTIFY_REQUEST_SA      2	/* Establish an SA */
+
+#define em_ena_spi	  Eu.Ena.Spi
+#define em_ena_dst	  Eu.Ena.Dst
+#define em_ena_isrc	  Eu.Ena.iSrc
+#define em_ena_idst	  Eu.Ena.iDst
+#define em_ena_ismask	  Eu.Ena.iSmask
+#define em_ena_idmask	  Eu.Ena.iDmask
+#define em_ena_sport	  Eu.Ena.Sport
+#define em_ena_dport	  Eu.Ena.Dport
+#define em_ena_protocol   Eu.Ena.Protocol
+#define em_ena_sproto	  Eu.Ena.Sproto
 
-#define em_gen_spi        Eu.Gen.emg_spi
-#define em_gen_dst        Eu.Gen.emg_dst
+#define em_gen_spi        Eu.Gen.Spi
+#define em_gen_dst        Eu.Gen.Dst
+#define em_gen_sproto	  Eu.Gen.Sproto
 
 #define em_not_type       Eu.Notify.Notification_Type
 #define em_not_spi        Eu.Notify.Spi
-#define em_not_spi2       Eu.Notify.Spi2
-#define em_not_spi3       Eu.Notify.Spi3
 #define em_not_dst        Eu.Notify.Dst
-#define em_not_seclevel   Eu.Notify.Seclevel
+#define em_not_satype     Eu.Notify.SAType
 #define em_not_userid     Eu.Notify.UserID
 #define em_not_msgid      Eu.Notify.MsgID
 #define em_not_sport      Eu.Notify.Sport
 #define em_not_dport      Eu.Notify.Dport
 #define em_not_protocol   Eu.Notify.Protocol
+#define em_not_sproto	  Eu.Notify.Sproto
 
 #define em_spi	          Eu.Xfm.Spi
 #define em_dst	          Eu.Xfm.Dst
 #define em_src	          Eu.Xfm.Src
-#define em_osrc           Eu.Xfm.oSrc
-#define em_odst           Eu.Xfm.oDst
-#define em_if	          Eu.Xfm.If
+#define em_osrc	          Eu.Xfm.oSrc
+#define em_odst	          Eu.Xfm.oDst
 #define em_alg	          Eu.Xfm.Alg
 #define em_dat	          Eu.Xfm.Dat
 #define em_relative_hard  Eu.Xfm.Relative_Hard
@@ -251,34 +285,38 @@ struct encap_msghdr
 #define em_packets_hard   Eu.Xfm.Packets_Hard
 #define em_packets_soft   Eu.Xfm.Packets_Soft
 #define em_ttl		  Eu.Xfm.TTL
-#define em_proto	  Eu.Xfm.Proto
-#define em_sport	  Eu.Xfm.Sport
-#define em_dport	  Eu.Xfm.Dport
+#define em_sproto	  Eu.Xfm.Sproto
 
-#define em_rel_spi	  Eu.Rel.emr_spi
-#define em_rel_spi2	  Eu.Rel.emr_spi2
-#define em_rel_dst	  Eu.Rel.emr_dst
-#define em_rel_dst2	  Eu.Rel.emr_dst2
+#define em_rel_spi	  Eu.Rel.Spi
+#define em_rel_spi2	  Eu.Rel.Spi2
+#define em_rel_dst	  Eu.Rel.Dst
+#define em_rel_dst2	  Eu.Rel.Dst2
+#define em_rel_sproto	  Eu.Rel.Sproto
+#define em_rel_sproto2	  Eu.Rel.Sproto2
 
 #define EMT_SETSPI	1		/* Set SPI properties */
-#define EMT_GRPSPIS	2		/* Group SPIs (output order)  */
+#define EMT_GRPSPIS	2		/* Group SPIs */
 #define EMT_DELSPI	3		/* delete an SPI */
 #define EMT_DELSPICHAIN 4		/* delete an SPI chain starting from */
 #define EMT_RESERVESPI  5		/* Give us an SPI */
 #define EMT_ENABLESPI   6		/* Enable an SA */
 #define EMT_DISABLESPI  7		/* Disable an SA */
 #define EMT_NOTIFY      8		/* kernel->userland key mgmt not. */
+#define EMT_VALIDATE    9		/* Make an SPI valid for use */
+#define EMT_INVALIDATE  10		/* Make an SPI invalid for use */
 
 /* Total packet lengths */
-#define EMT_SETSPI_FLEN	      124
-#define EMT_GRPSPIS_FLEN      24
-#define EMT_GENLEN            16
+#define EMT_SETSPI_FLEN	      120
+#define EMT_GRPSPIS_FLEN      28
+#define EMT_GENLEN            20
 #define EMT_DELSPI_FLEN       EMT_GENLEN
 #define EMT_DELSPICHAIN_FLEN  EMT_GENLEN
-#define EMT_ENABLESPI_FLEN    EMT_GENLEN
-#define EMT_DISABLESPI_FLEN   EMT_GENLEN
 #define EMT_RESERVESPI_FLEN   EMT_GENLEN
-#define EMT_NOTIFY_FLEN       44
+#define EMT_VALIDATE_FLEN     EMT_GENLEN
+#define EMT_INVALIDATE_FLEN   EMT_GENLEN
+#define EMT_NOTIFY_FLEN       40
+#define EMT_ENABLESPI_FLEN    40
+#define EMT_DISABLESPI_FLEN   EMT_ENABLESPI_FLEN
 
 #ifdef _KERNEL
 extern struct ifaddr *encap_findgwifa(struct sockaddr *);
diff --git a/sys/net/if.c b/sys/net/if.c
index 6e680460266..e69d74c8f7d 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if.c,v 1.12 1996/08/03 17:50:35 deraadt Exp $	*/
+/*	$OpenBSD: if.c,v 1.13 1997/07/11 23:37:52 provos Exp $	*/
 /*	$NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $	*/
 
 /*
@@ -229,7 +229,7 @@ ifa_ifwithnet(addr)
 		for (ifa = ifp->if_addrlist.tqh_first; ifa != 0; ifa = ifa->ifa_list.tqe_next) {
 			register char *cp, *cp2, *cp3;
 
-			if (ifa->ifa_addr->sa_family != af ||
+			if (!ifa->ifa_addr || ifa->ifa_addr->sa_family != af ||
 			    ifa->ifa_netmask == 0)
 				next: continue;
 			cp = addr_data;
diff --git a/sys/net/if_enc.c b/sys/net/if_enc.c
index 0f0cff17d8c..de2544fd9b8 100644
--- a/sys/net/if_enc.c
+++ b/sys/net/if_enc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_enc.c,v 1.4 1997/07/01 22:12:39 provos Exp $	*/
+/*	$OpenBSD: if_enc.c,v 1.5 1997/07/11 23:37:53 provos Exp $	*/
 
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
@@ -66,7 +66,7 @@ struct ifnet enc_softc;
 
 void	encattach __P((int));
 int	encoutput __P((struct ifnet *, struct mbuf *, struct sockaddr *,
-	    struct rtentry *));
+	    	       struct rtentry *));
 int	encioctl __P((struct ifnet *, u_long, caddr_t));
 void	encrtrequest __P((int, struct rtentry *, struct sockaddr *));
 
@@ -98,10 +98,10 @@ encattach(int nenc)
 #endif
 
     /* Just a bogus entry */
-    ifa = (struct ifaddr *)malloc(sizeof(struct ifaddr) + 
-			sizeof(struct sockaddr), M_IFADDR, M_WAITOK);
+    ifa = (struct ifaddr *) malloc(sizeof(struct ifaddr) + 
+			           sizeof(struct sockaddr), M_IFADDR, M_WAITOK);
     bzero(ifa, sizeof(struct ifaddr) + sizeof(struct sockaddr));
-    ifa->ifa_addr = ifa->ifa_dstaddr = (struct sockaddr *)(ifa + 1);
+    ifa->ifa_addr = ifa->ifa_dstaddr = (struct sockaddr *) (ifa + 1);
     ifa->ifa_ifp = &enc_softc;
     TAILQ_INSERT_HEAD(&(enc_softc.if_addrlist), ifa, ifa_list);
 }
@@ -120,7 +120,7 @@ register struct rtentry *rt;
     int s, isr;
 
     if ((m->m_flags & M_PKTHDR) == 0)
-      panic("encoutput no HDR");
+      panic("encoutput(): no HDR");
 
     ifp->if_lastchange = time;
 
@@ -139,7 +139,7 @@ register struct rtentry *rt;
 
 	m0.m_next = m;
 	m0.m_len = 4;
-	m0.m_data = (char *)&af;
+	m0.m_data = (char *) &af;
 	
 	bpf_mtap(ifp->if_bpf, &m0);
     }
@@ -239,7 +239,7 @@ caddr_t data;
 	     */
 
 	    ifp->if_flags |= IFF_UP;
-	    ifa = (struct ifaddr *)data;
+	    ifa = (struct ifaddr *) data;
 
 	    break;