Use ibuf_data() instead of accessing the ibuf buf pointer directly.
Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate.
OK tobhe@ tb@

Consistently use uintXX_t from <stdint.h> instead of u_intXX_t.

Avoid a potential double free in group_free()

In the unlikely event that EC_KEY_check_key() in ec_init() fails,
the group would be freed twice: once in ec_init(), and later in
group_free().

ok tobhe

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Add experimental post-quantum hybrid key exchange method
based on Streamlined NTRU Prime (coupled with X25519).

The sntrup761 implementation is imported from OpenSSH.
It is public domain code originally distributed as part
of the SUPERCOP cryptography benchmark suite
(https://bench.cr.yp.to/supercop.html).

The method is not part of the default proposal, but can
be enabled with 'ikesa group sntrup761x25519'.

ok markus@ patrick@

Use field independent version of {get,set}_affine_coordinates.

ok tobhe

Rename 'struct group' to 'struct dh_group' for more clarity and
to avoid name clashes.

ok patrick@

EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m()
do the same thing. Remove redundant check and always use the _GFp() variant.

discussed with tb@
ok patrick@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Consistently use uintXX_t from <stdint.h> instead of u_intXX_t.

Avoid a potential double free in group_free()

In the unlikely event that EC_KEY_check_key() in ec_init() fails,
the group would be freed twice: once in ec_init(), and later in
group_free().

ok tobhe

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Add experimental post-quantum hybrid key exchange method
based on Streamlined NTRU Prime (coupled with X25519).

The sntrup761 implementation is imported from OpenSSH.
It is public domain code originally distributed as part
of the SUPERCOP cryptography benchmark suite
(https://bench.cr.yp.to/supercop.html).

The method is not part of the default proposal, but can
be enabled with 'ikesa group sntrup761x25519'.

ok markus@ patrick@

Use field independent version of {get,set}_affine_coordinates.

ok tobhe

Rename 'struct group' to 'struct dh_group' for more clarity and
to avoid name clashes.

ok patrick@

EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m()
do the same thing. Remove redundant check and always use the _GFp() variant.

discussed with tb@
ok patrick@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Avoid a potential double free in group_free()

In the unlikely event that EC_KEY_check_key() in ec_init() fails,
the group would be freed twice: once in ec_init(), and later in
group_free().

ok tobhe

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Add experimental post-quantum hybrid key exchange method
based on Streamlined NTRU Prime (coupled with X25519).

The sntrup761 implementation is imported from OpenSSH.
It is public domain code originally distributed as part
of the SUPERCOP cryptography benchmark suite
(https://bench.cr.yp.to/supercop.html).

The method is not part of the default proposal, but can
be enabled with 'ikesa group sntrup761x25519'.

ok markus@ patrick@

Use field independent version of {get,set}_affine_coordinates.

ok tobhe

Rename 'struct group' to 'struct dh_group' for more clarity and
to avoid name clashes.

ok patrick@

EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m()
do the same thing. Remove redundant check and always use the _GFp() variant.

discussed with tb@
ok patrick@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Add experimental post-quantum hybrid key exchange method
based on Streamlined NTRU Prime (coupled with X25519).

The sntrup761 implementation is imported from OpenSSH.
It is public domain code originally distributed as part
of the SUPERCOP cryptography benchmark suite
(https://bench.cr.yp.to/supercop.html).

The method is not part of the default proposal, but can
be enabled with 'ikesa group sntrup761x25519'.

ok markus@ patrick@

Use field independent version of {get,set}_affine_coordinates.

ok tobhe

Rename 'struct group' to 'struct dh_group' for more clarity and
to avoid name clashes.

ok patrick@

EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m()
do the same thing. Remove redundant check and always use the _GFp() variant.

discussed with tb@
ok patrick@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add experimental post-quantum hybrid key exchange method
based on Streamlined NTRU Prime (coupled with X25519).

The sntrup761 implementation is imported from OpenSSH.
It is public domain code originally distributed as part
of the SUPERCOP cryptography benchmark suite
(https://bench.cr.yp.to/supercop.html).

The method is not part of the default proposal, but can
be enabled with 'ikesa group sntrup761x25519'.

ok markus@ patrick@

Use field independent version of {get,set}_affine_coordinates.

ok tobhe

Rename 'struct group' to 'struct dh_group' for more clarity and
to avoid name clashes.

ok patrick@

EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m()
do the same thing. Remove redundant check and always use the _GFp() variant.

discussed with tb@
ok patrick@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Use field independent version of {get,set}_affine_coordinates.

ok tobhe

Rename 'struct group' to 'struct dh_group' for more clarity and
to avoid name clashes.

ok patrick@

EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m()
do the same thing. Remove redundant check and always use the _GFp() variant.

discussed with tb@
ok patrick@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Rename 'struct group' to 'struct dh_group' for more clarity and
to avoid name clashes.

ok patrick@

EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m()
do the same thing. Remove redundant check and always use the _GFp() variant.

discussed with tb@
ok patrick@

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Refactor parts of the dh_* API.

ok patrick@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Remove support for insecure EC2N groups. Clarify which Diffie-Hellman
groups are not recommended to use and are only supported for backwards
compatibility.

Feedback from sthen@
ok kn@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

When curve25519 was added to iked, it was based on the internet-draft and
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.

"this is the right time" deraadt@ "I like the idea" reyk@


If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.

ok markus@

A few more freezero() uses
ok yasuoka mikeb

Don't cache the DH group in the policy

When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.

With and OK reyk

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Add support for Curve25519 using the public domain code that is found
in OpenSSH. The "private use" DH group 1034 is based on the value
that was picked by strongswan recently.

OK mikeb@ markus@

Add support for DH groups 27-30 using the Brainpool curves which have
previously been added to LibreSSL's libcrypto.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

verify EC points; from hshoexer; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Plug two memory leaks when cleaning up the dh/dsa crypto structures.

update email addresses to match reality.
sure jsg@ mikeb@

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

iked requires the same dh diff as isakmpd:

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

Add missing frees.

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

further cleanup of the dh code:
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@