Allow zero-length identity response

ok tobhe

Kill ibuf_cat() since there is now ibuf_add_buf() in the official API.
OK tb@ tobhe@

Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Include endian.h where needed for betohXX functions.

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

Constify sa in ikev2_pld_eap(). The parser code must not change any
sa or policy state, this should help make it clearer.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Move all the EAP logic from a single branch in the message parsing code to
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.

Tested with iOS, Stronswan and Windows
ok patrick@ sthen@

Fix handling of short EAP-MSCHAP messages.

ok patrick@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

update email addresses to match reality.
sure jsg@ mikeb@

spacing

fixup log_warn and log_debug arguments; ok reyk

plug a tiny leak.

ok mikeb@

fixup length of an eap identity message payload.

ok reyk

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Kill ibuf_cat() since there is now ibuf_add_buf() in the official API.
OK tb@ tobhe@

Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Include endian.h where needed for betohXX functions.

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

Constify sa in ikev2_pld_eap(). The parser code must not change any
sa or policy state, this should help make it clearer.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Move all the EAP logic from a single branch in the message parsing code to
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.

Tested with iOS, Stronswan and Windows
ok patrick@ sthen@

Fix handling of short EAP-MSCHAP messages.

ok patrick@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

update email addresses to match reality.
sure jsg@ mikeb@

spacing

fixup log_warn and log_debug arguments; ok reyk

plug a tiny leak.

ok mikeb@

fixup length of an eap identity message payload.

ok reyk

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Include endian.h where needed for betohXX functions.

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

Constify sa in ikev2_pld_eap(). The parser code must not change any
sa or policy state, this should help make it clearer.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Move all the EAP logic from a single branch in the message parsing code to
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.

Tested with iOS, Stronswan and Windows
ok patrick@ sthen@

Fix handling of short EAP-MSCHAP messages.

ok patrick@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

update email addresses to match reality.
sure jsg@ mikeb@

spacing

fixup log_warn and log_debug arguments; ok reyk

plug a tiny leak.

ok mikeb@

fixup length of an eap identity message payload.

ok reyk

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Include endian.h where needed for betohXX functions.

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

Constify sa in ikev2_pld_eap(). The parser code must not change any
sa or policy state, this should help make it clearer.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Move all the EAP logic from a single branch in the message parsing code to
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.

Tested with iOS, Stronswan and Windows
ok patrick@ sthen@

Fix handling of short EAP-MSCHAP messages.

ok patrick@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

update email addresses to match reality.
sure jsg@ mikeb@

spacing

fixup log_warn and log_debug arguments; ok reyk

plug a tiny leak.

ok mikeb@

fixup length of an eap identity message payload.

ok reyk

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

Constify sa in ikev2_pld_eap(). The parser code must not change any
sa or policy state, this should help make it clearer.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Move all the EAP logic from a single branch in the message parsing code to
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.

Tested with iOS, Stronswan and Windows
ok patrick@ sthen@

Fix handling of short EAP-MSCHAP messages.

ok patrick@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

update email addresses to match reality.
sure jsg@ mikeb@

spacing

fixup log_warn and log_debug arguments; ok reyk

plug a tiny leak.

ok mikeb@

fixup length of an eap identity message payload.

ok reyk

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

Constify sa in ikev2_pld_eap(). The parser code must not change any
sa or policy state, this should help make it clearer.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Move all the EAP logic from a single branch in the message parsing code to
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.

Tested with iOS, Stronswan and Windows
ok patrick@ sthen@

Fix handling of short EAP-MSCHAP messages.

ok patrick@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

update email addresses to match reality.
sure jsg@ mikeb@

spacing

fixup log_warn and log_debug arguments; ok reyk

plug a tiny leak.

ok mikeb@

fixup length of an eap identity message payload.

ok reyk

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Constify sa in ikev2_pld_eap(). The parser code must not change any
sa or policy state, this should help make it clearer.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Move all the EAP logic from a single branch in the message parsing code to
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.

Tested with iOS, Stronswan and Windows
ok patrick@ sthen@

Fix handling of short EAP-MSCHAP messages.

ok patrick@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

update email addresses to match reality.
sure jsg@ mikeb@

spacing

fixup log_warn and log_debug arguments; ok reyk

plug a tiny leak.

ok mikeb@

fixup length of an eap identity message payload.

ok reyk

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

More unused headers.

Remove unused "wait.h" includes.

Move all the EAP logic from a single branch in the message parsing code to
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.

Tested with iOS, Stronswan and Windows
ok patrick@ sthen@

Fix handling of short EAP-MSCHAP messages.

ok patrick@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

update email addresses to match reality.
sure jsg@ mikeb@

spacing

fixup log_warn and log_debug arguments; ok reyk

plug a tiny leak.

ok mikeb@

fixup length of an eap identity message payload.

ok reyk

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Move all the EAP logic from a single branch in the message parsing code to
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.

Tested with iOS, Stronswan and Windows
ok patrick@ sthen@

Fix handling of short EAP-MSCHAP messages.

ok patrick@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

update email addresses to match reality.
sure jsg@ mikeb@

spacing

fixup log_warn and log_debug arguments; ok reyk

plug a tiny leak.

ok mikeb@

fixup length of an eap identity message payload.

ok reyk

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@