Guard use of GROUP_EC2N with #ifndef OPENSSL_NO_EC2M

This allows compiling isakmpd with a libcrypto that has binary field
support removed. Leave the enum value itself unguarded on claudio's
request.

ok beck claudio jsing

Avoid double free in isakmpd

In the unlikely event that EC_KEY_check_key() in ec_init() fails,
group->ec would be freed first in ec_init() then in group_free().

Same problem was fixed in iked/dh.c r1.31 (where it originally came
from).

ok jsg mbuhl

isakmpd: convert modp to opaque DH

isakmpd: convert modp_init() for opaque DH.

ok jsing

the code in this file has reason to include any sys/*.h header files,
let alone sys/param.h, which it uses to get roundup(). make a local
copy of the macro, and call it a day.

Use field independent versions of {get,set}_coordinates()

ok tobhe

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included.

The member g_xy is always the shared secret but so far its buffer has
been allocated using the size of the public points. Since this is a
different size now, as the shared secret for EC Groups should only store
the x point, we need another member to specify the length of g_xy.

Since this is a backwards incompatible change older isakmpds won't be
able to negotiate if you use EC groups. Bump the version of our own
vendor tag so peers can try to keep compatibility based on the presen-
ted tag. This could be used to implement backwards compatibility to
older isakmpds.

Prompted by and ok mpi@

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Sync dh.[ch] from iked. The files are identical, so any change in
either iked or isakmpd should be synced to the other daemon. The
previous changes from iked include: plug two memory leaks, verify EC
points and add the Brainpool curves. All tests in
regress/sbin/isakmpd/dh passed OKAY.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

Fixes PR 6601, tested by Pawel Wieleba, sthen, otto.
Huge thanks to Pawel for spending nearly a week testing diffs.

ok sthen

branches: 1.13.2;
make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

branches: 1.12.2;
Replace the hand-crafted Diffie-Hellman implementation in isakmpd with
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).

ok deraadt@

check for degenerate Diffie-Hellman public exponents;
ok markus@ hshoexer@ deraadt@

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Also xref certpatch(8) while
we are in there. And remove some include sysdep.h where it is no longer
needed.
OK hshoexer

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our standard
auditing process. ok ho hshoexer

Remove clauses 3 and 4. With approval from Niklas Hallqvist and
Niels Provos.

rm trailing whitespace

More style fixes...

branches: 1.5.6;
./cookie.c: Merge with EOM 1.20
./dh.c: Merge with EOM 1.5
./hash.c: Merge with EOM 1.10
./math_group.h: Merge with EOM 1.7

Style. alloc error reporting. Math error propagation. Allocate right
sizes.

1999 copyrights

Merge from the Ericsson repository
| revision 1.3
| date: 1999/02/25 11:38:51; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------

Add RCS Ids from the EOM repository

openBSD RCS IDs

branches: 1.1.1;
Initial revision

isakmpd: convert modp to opaque DH

isakmpd: convert modp_init() for opaque DH.

ok jsing

the code in this file has reason to include any sys/*.h header files,
let alone sys/param.h, which it uses to get roundup(). make a local
copy of the macro, and call it a day.

Use field independent versions of {get,set}_coordinates()

ok tobhe

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included.

The member g_xy is always the shared secret but so far its buffer has
been allocated using the size of the public points. Since this is a
different size now, as the shared secret for EC Groups should only store
the x point, we need another member to specify the length of g_xy.

Since this is a backwards incompatible change older isakmpds won't be
able to negotiate if you use EC groups. Bump the version of our own
vendor tag so peers can try to keep compatibility based on the presen-
ted tag. This could be used to implement backwards compatibility to
older isakmpds.

Prompted by and ok mpi@

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Sync dh.[ch] from iked. The files are identical, so any change in
either iked or isakmpd should be synced to the other daemon. The
previous changes from iked include: plug two memory leaks, verify EC
points and add the Brainpool curves. All tests in
regress/sbin/isakmpd/dh passed OKAY.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

Fixes PR 6601, tested by Pawel Wieleba, sthen, otto.
Huge thanks to Pawel for spending nearly a week testing diffs.

ok sthen

branches: 1.13.2;
make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

branches: 1.12.2;
Replace the hand-crafted Diffie-Hellman implementation in isakmpd with
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).

ok deraadt@

check for degenerate Diffie-Hellman public exponents;
ok markus@ hshoexer@ deraadt@

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Also xref certpatch(8) while
we are in there. And remove some include sysdep.h where it is no longer
needed.
OK hshoexer

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our standard
auditing process. ok ho hshoexer

Remove clauses 3 and 4. With approval from Niklas Hallqvist and
Niels Provos.

rm trailing whitespace

More style fixes...

branches: 1.5.6;
./cookie.c: Merge with EOM 1.20
./dh.c: Merge with EOM 1.5
./hash.c: Merge with EOM 1.10
./math_group.h: Merge with EOM 1.7

Style. alloc error reporting. Math error propagation. Allocate right
sizes.

1999 copyrights

Merge from the Ericsson repository
| revision 1.3
| date: 1999/02/25 11:38:51; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------

Add RCS Ids from the EOM repository

openBSD RCS IDs

branches: 1.1.1;
Initial revision

isakmpd: convert modp_init() for opaque DH.

ok jsing

the code in this file has reason to include any sys/*.h header files,
let alone sys/param.h, which it uses to get roundup(). make a local
copy of the macro, and call it a day.

Use field independent versions of {get,set}_coordinates()

ok tobhe

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included.

The member g_xy is always the shared secret but so far its buffer has
been allocated using the size of the public points. Since this is a
different size now, as the shared secret for EC Groups should only store
the x point, we need another member to specify the length of g_xy.

Since this is a backwards incompatible change older isakmpds won't be
able to negotiate if you use EC groups. Bump the version of our own
vendor tag so peers can try to keep compatibility based on the presen-
ted tag. This could be used to implement backwards compatibility to
older isakmpds.

Prompted by and ok mpi@

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Sync dh.[ch] from iked. The files are identical, so any change in
either iked or isakmpd should be synced to the other daemon. The
previous changes from iked include: plug two memory leaks, verify EC
points and add the Brainpool curves. All tests in
regress/sbin/isakmpd/dh passed OKAY.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

Fixes PR 6601, tested by Pawel Wieleba, sthen, otto.
Huge thanks to Pawel for spending nearly a week testing diffs.

ok sthen

branches: 1.13.2;
make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

branches: 1.12.2;
Replace the hand-crafted Diffie-Hellman implementation in isakmpd with
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).

ok deraadt@

check for degenerate Diffie-Hellman public exponents;
ok markus@ hshoexer@ deraadt@

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Also xref certpatch(8) while
we are in there. And remove some include sysdep.h where it is no longer
needed.
OK hshoexer

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our standard
auditing process. ok ho hshoexer

Remove clauses 3 and 4. With approval from Niklas Hallqvist and
Niels Provos.

rm trailing whitespace

More style fixes...

branches: 1.5.6;
./cookie.c: Merge with EOM 1.20
./dh.c: Merge with EOM 1.5
./hash.c: Merge with EOM 1.10
./math_group.h: Merge with EOM 1.7

Style. alloc error reporting. Math error propagation. Allocate right
sizes.

1999 copyrights

Merge from the Ericsson repository
| revision 1.3
| date: 1999/02/25 11:38:51; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------

Add RCS Ids from the EOM repository

openBSD RCS IDs

branches: 1.1.1;
Initial revision

the code in this file has reason to include any sys/*.h header files,
let alone sys/param.h, which it uses to get roundup(). make a local
copy of the macro, and call it a day.

Use field independent versions of {get,set}_coordinates()

ok tobhe

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included.

The member g_xy is always the shared secret but so far its buffer has
been allocated using the size of the public points. Since this is a
different size now, as the shared secret for EC Groups should only store
the x point, we need another member to specify the length of g_xy.

Since this is a backwards incompatible change older isakmpds won't be
able to negotiate if you use EC groups. Bump the version of our own
vendor tag so peers can try to keep compatibility based on the presen-
ted tag. This could be used to implement backwards compatibility to
older isakmpds.

Prompted by and ok mpi@

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Sync dh.[ch] from iked. The files are identical, so any change in
either iked or isakmpd should be synced to the other daemon. The
previous changes from iked include: plug two memory leaks, verify EC
points and add the Brainpool curves. All tests in
regress/sbin/isakmpd/dh passed OKAY.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

Fixes PR 6601, tested by Pawel Wieleba, sthen, otto.
Huge thanks to Pawel for spending nearly a week testing diffs.

ok sthen

branches: 1.13.2;
make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

branches: 1.12.2;
Replace the hand-crafted Diffie-Hellman implementation in isakmpd with
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).

ok deraadt@

check for degenerate Diffie-Hellman public exponents;
ok markus@ hshoexer@ deraadt@

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Also xref certpatch(8) while
we are in there. And remove some include sysdep.h where it is no longer
needed.
OK hshoexer

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our standard
auditing process. ok ho hshoexer

Remove clauses 3 and 4. With approval from Niklas Hallqvist and
Niels Provos.

rm trailing whitespace

More style fixes...

branches: 1.5.6;
./cookie.c: Merge with EOM 1.20
./dh.c: Merge with EOM 1.5
./hash.c: Merge with EOM 1.10
./math_group.h: Merge with EOM 1.7

Style. alloc error reporting. Math error propagation. Allocate right
sizes.

1999 copyrights

Merge from the Ericsson repository
| revision 1.3
| date: 1999/02/25 11:38:51; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------

Add RCS Ids from the EOM repository

openBSD RCS IDs

branches: 1.1.1;
Initial revision

Use field independent versions of {get,set}_coordinates()

ok tobhe

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included.

The member g_xy is always the shared secret but so far its buffer has
been allocated using the size of the public points. Since this is a
different size now, as the shared secret for EC Groups should only store
the x point, we need another member to specify the length of g_xy.

Since this is a backwards incompatible change older isakmpds won't be
able to negotiate if you use EC groups. Bump the version of our own
vendor tag so peers can try to keep compatibility based on the presen-
ted tag. This could be used to implement backwards compatibility to
older isakmpds.

Prompted by and ok mpi@

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Sync dh.[ch] from iked. The files are identical, so any change in
either iked or isakmpd should be synced to the other daemon. The
previous changes from iked include: plug two memory leaks, verify EC
points and add the Brainpool curves. All tests in
regress/sbin/isakmpd/dh passed OKAY.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

Fixes PR 6601, tested by Pawel Wieleba, sthen, otto.
Huge thanks to Pawel for spending nearly a week testing diffs.

ok sthen

branches: 1.13.2;
make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

branches: 1.12.2;
Replace the hand-crafted Diffie-Hellman implementation in isakmpd with
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).

ok deraadt@

check for degenerate Diffie-Hellman public exponents;
ok markus@ hshoexer@ deraadt@

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Also xref certpatch(8) while
we are in there. And remove some include sysdep.h where it is no longer
needed.
OK hshoexer

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our standard
auditing process. ok ho hshoexer

Remove clauses 3 and 4. With approval from Niklas Hallqvist and
Niels Provos.

rm trailing whitespace

More style fixes...

branches: 1.5.6;
./cookie.c: Merge with EOM 1.20
./dh.c: Merge with EOM 1.5
./hash.c: Merge with EOM 1.10
./math_group.h: Merge with EOM 1.7

Style. alloc error reporting. Math error propagation. Allocate right
sizes.

1999 copyrights

Merge from the Ericsson repository
| revision 1.3
| date: 1999/02/25 11:38:51; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------

Add RCS Ids from the EOM repository

openBSD RCS IDs

branches: 1.1.1;
Initial revision

In the final RFC 5903 the computation for the DH shared secret changed.
Instead of the full point, only the X point is included.

The member g_xy is always the shared secret but so far its buffer has
been allocated using the size of the public points. Since this is a
different size now, as the shared secret for EC Groups should only store
the x point, we need another member to specify the length of g_xy.

Since this is a backwards incompatible change older isakmpds won't be
able to negotiate if you use EC groups. Bump the version of our own
vendor tag so peers can try to keep compatibility based on the presen-
ted tag. This could be used to implement backwards compatibility to
older isakmpds.

Prompted by and ok mpi@

Remove modular exponential groups specified in RFC5114

Brought up by doug@, ok reyk, djm, doug

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

DH_compute_key() returns -1 on error but this was not
handled by testing the result with a negation.

Ralf Horstmann discovered iked would segfault
when connecting from Strongswan on Android because
of this and supplied the patch to fix the problem.

ok reyk@

Sync dh.[ch] from iked. The files are identical, so any change in
either iked or isakmpd should be synced to the other daemon. The
previous changes from iked include: plug two memory leaks, verify EC
points and add the Brainpool curves. All tests in
regress/sbin/isakmpd/dh passed OKAY.

ok markus@ mikeb@

add additional includes required to build with -DOPENSSL_NO_DEPRECATED

Rounding up a number of bytes in a bignum returned by the BN_num_bytes()
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@

When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.

Fixes PR 6601, tested by Pawel Wieleba, sthen, otto.
Huge thanks to Pawel for spending nearly a week testing diffs.

ok sthen

branches: 1.13.2;
make key exchange faster by not checking the predefined groups with DH_check()
ok mikeb@, djm@

branches: 1.12.2;
Replace the hand-crafted Diffie-Hellman implementation in isakmpd with
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).

ok deraadt@

check for degenerate Diffie-Hellman public exponents;
ok markus@ hshoexer@ deraadt@

Make deterministic randomness (only ever used for testing) a compile-time
option. Reduces chances of somehow setting regrand when it's not supposed
to be set. Remove "-r" option from man page. Also xref certpatch(8) while
we are in there. And remove some include sysdep.h where it is no longer
needed.
OK hshoexer

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our standard
auditing process. ok ho hshoexer

Remove clauses 3 and 4. With approval from Niklas Hallqvist and
Niels Provos.

rm trailing whitespace

More style fixes...

branches: 1.5.6;
./cookie.c: Merge with EOM 1.20
./dh.c: Merge with EOM 1.5
./hash.c: Merge with EOM 1.10
./math_group.h: Merge with EOM 1.7

Style. alloc error reporting. Math error propagation. Allocate right
sizes.

1999 copyrights

Merge from the Ericsson repository
| revision 1.3
| date: 1999/02/25 11:38:51; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------

Add RCS Ids from the EOM repository

openBSD RCS IDs

branches: 1.1.1;
Initial revision