Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

Use ibuf_data() instead of accessing the ibuf buf pointer directly.
Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate.
OK tobhe@ tb@

Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is
the same in these cases.
OK tb@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

i2d_ECDSA_SIG() may return a negative value in case of error.
Do no use this as length in iked(8) _dsa_verify_prepare().
OK tobhe@ tb@

Switch idiom of d2i_ECDSA_SIG() invocation

Instead of the discouraged obj = NULL; d2i_ECDSA_SIG(&obj, ...); use the
recommended obj = d2i_ECDSA_SIG(NULL, ...);. While it makes no difference
here, it's better practice.

suggested by & ok markus

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Use ibuf_data() instead of accessing the ibuf buf pointer directly.
Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate.
OK tobhe@ tb@

Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is
the same in these cases.
OK tb@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

i2d_ECDSA_SIG() may return a negative value in case of error.
Do no use this as length in iked(8) _dsa_verify_prepare().
OK tobhe@ tb@

Switch idiom of d2i_ECDSA_SIG() invocation

Instead of the discouraged obj = NULL; d2i_ECDSA_SIG(&obj, ...); use the
recommended obj = d2i_ECDSA_SIG(NULL, ...);. While it makes no difference
here, it's better practice.

suggested by & ok markus

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is
the same in these cases.
OK tb@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

i2d_ECDSA_SIG() may return a negative value in case of error.
Do no use this as length in iked(8) _dsa_verify_prepare().
OK tobhe@ tb@

Switch idiom of d2i_ECDSA_SIG() invocation

Instead of the discouraged obj = NULL; d2i_ECDSA_SIG(&obj, ...); use the
recommended obj = d2i_ECDSA_SIG(NULL, ...);. While it makes no difference
here, it's better practice.

suggested by & ok markus

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

i2d_ECDSA_SIG() may return a negative value in case of error.
Do no use this as length in iked(8) _dsa_verify_prepare().
OK tobhe@ tb@

Switch idiom of d2i_ECDSA_SIG() invocation

Instead of the discouraged obj = NULL; d2i_ECDSA_SIG(&obj, ...); use the
recommended obj = d2i_ECDSA_SIG(NULL, ...);. While it makes no difference
here, it's better practice.

suggested by & ok markus

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Switch idiom of d2i_ECDSA_SIG() invocation

Instead of the discouraged obj = NULL; d2i_ECDSA_SIG(&obj, ...); use the
recommended obj = d2i_ECDSA_SIG(NULL, ...);. While it makes no difference
here, it's better practice.

suggested by & ok markus

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@

Remove unused 'dsa_cert' variable.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()
which allows us to support additional signing options like PSS
padding in the future.

ok patrick@ markus@

fix char ** to const char ** conversion warning; ok mikeb@

spacing

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

spacing (no binary change, verified with checksums)

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

don't leak prv RSA key for each signature; ok mikeb

Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup.
Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a
hashing function for RSA Digital Signatures. Tested by and OK markus.

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Under certain circumstances iked can be tricked to bypass a signature
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!

While here, check for HMAC_* return values.

ok jsg, markus

fixup log_warn and log_debug arguments; ok reyk

fixup number rounding; ok reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

fix block length for AES

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Constify cipher API.

ok markus@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Add support for RSA-PSS PKCS1 signatures. Don't enable them by
default for now because of interoperability issues.

ok patrick@

Add support for RSASSA-PSS signature verification (RFC 7427).

ok patrick@

Fix type mismatch. auth_method should be uint8_t.

ok markus@

Use a counter instead of random IV for AES-GCM. Security depends on
choosing a unique IV for every encryption operation, using a counter
as IV eliminates the risk of random collisions.

ok markus@ patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Fix leaks in signature validation.

ok markus@