New attempt. This performs the check at parse time in validate_sa().
(Yes, I'm aware that the regression tests will also require some
tweaking.)
Index: ipsecctl.h
===
RCS file: /cvs/src/sbin/ipsecctl/ipsecctl.h,v
retrieving revision
Here's a tentative diff to disable AES-CTR/-GCM/-GMAC for manual
security associations, in accordance with RFC 3686/4106/4543 that
explicitly forbid the use of these algorithms with static keys.
Should this be better handled in the grammar?
For ipsec.conf.5, it also includes a tweak to the key le
