Hi, the EC2N family of curves have been marked as insecure for at least 10 years. In fact, IANA has stopped listing them altogether [1]. Their former IDs are now 'reserved'.
I think it's time for us to drop them as well. ok? [1] https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-8 Index: dh.c =================================================================== RCS file: /cvs/src/sbin/iked/dh.c,v retrieving revision 1.22 diff -u -p -r1.22 dh.c --- dh.c 2 Apr 2019 09:42:55 -0000 1.22 +++ dh.c 27 Apr 2020 22:58:24 -0000 @@ -35,7 +35,7 @@ int modp_getlen(struct group *); int modp_create_exchange(struct group *, uint8_t *); int modp_create_shared(struct group *, uint8_t *, uint8_t *); -/* EC2N/ECP */ +/* ECP */ int ec_init(struct group *); int ec_getlen(struct group *); int ec_secretlen(struct group *); @@ -83,8 +83,6 @@ const struct group_id ike_groups[] = { "FFFFFFFFFFFFFFFF", "02" }, - { GROUP_EC2N, 3, 155, NULL, NULL, NID_ipsec3 }, - { GROUP_EC2N, 4, 185, NULL, NULL, NID_ipsec4 }, { GROUP_MODP, 5, 1536, "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" @@ -290,7 +288,6 @@ group_get(uint32_t id) group->exchange = modp_create_exchange; group->shared = modp_create_shared; break; - case GROUP_EC2N: case GROUP_ECP: group->init = ec_init; group->getlen = ec_getlen; Index: dh.h =================================================================== RCS file: /cvs/src/sbin/iked/dh.h,v retrieving revision 1.11 diff -u -p -r1.11 dh.h --- dh.h 27 Oct 2017 14:26:35 -0000 1.11 +++ dh.h 27 Apr 2020 22:58:24 -0000 @@ -21,7 +21,6 @@ enum group_type { GROUP_MODP = 0, - GROUP_EC2N = 1, GROUP_ECP = 2, GROUP_CURVE25519 = 3 }; Index: iked.conf.5 =================================================================== RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.66 diff -u -p -r1.66 iked.conf.5 --- iked.conf.5 27 Apr 2020 22:40:09 -0000 1.66 +++ iked.conf.5 27 Apr 2020 22:58:24 -0000 @@ -909,8 +909,6 @@ keyword: .It Em Name Ta Em Group Ta Em Size Ta Em Type .It Li modp768 Ta grp1 Ta 768 Ta "MODP" .It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" -.It Li ec2n155 Ta grp3 Ta 155 Ta "EC2N [insecure]" -.It Li ec2n185 Ta grp4 Ta 185 Ta "EC2N [insecure]" .It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" .It Li modp2048 Ta grp14 Ta 2048 Ta "MODP" .It Li modp3072 Ta grp15 Ta 3072 Ta "MODP" @@ -931,11 +929,8 @@ keyword: .Pp The currently supported group types are either MODP (exponentiation groups modulo a prime), -EC2N (elliptic curve groups over GF[2^N]), ECP (elliptic curve groups modulo a prime), or Curve25519. -Please note that the EC2N groups are considered as insecure and only -provided for backwards compatibility. .Sh FILES .Bl -tag -width /etc/examples/iked.conf -compact .It Pa /etc/iked.conf Index: ikev2.h =================================================================== RCS file: /cvs/src/sbin/iked/ikev2.h,v retrieving revision 1.31 diff -u -p -r1.31 ikev2.h --- ikev2.h 3 Dec 2019 12:38:34 -0000 1.31 +++ ikev2.h 27 Apr 2020 22:58:24 -0000 @@ -230,8 +230,6 @@ extern struct iked_constmap ikev2_xforma #define IKEV2_XFORMDH_NONE 0 /* No DH */ #define IKEV2_XFORMDH_MODP_768 1 /* DH Group 1 */ #define IKEV2_XFORMDH_MODP_1024 2 /* DH Group 2 */ -#define IKEV2_XFORMDH_EC2N_155 3 /* DH Group 3 */ -#define IKEV2_XFORMDH_EC2N_185 4 /* DH Group 3 */ #define IKEV2_XFORMDH_MODP_1536 5 /* DH Group 5 */ #define IKEV2_XFORMDH_MODP_2048 14 /* DH Group 14 */ #define IKEV2_XFORMDH_MODP_3072 15 /* DH Group 15 */ Index: parse.y =================================================================== RCS file: /cvs/src/sbin/iked/parse.y,v retrieving revision 1.95 diff -u -p -r1.95 parse.y --- parse.y 26 Apr 2020 16:55:47 -0000 1.95 +++ parse.y 27 Apr 2020 22:58:24 -0000 @@ -223,10 +223,6 @@ const struct ipsec_xf groupxfs[] = { { "grp1", IKEV2_XFORMDH_MODP_768 }, { "modp1024", IKEV2_XFORMDH_MODP_1024 }, { "grp2", IKEV2_XFORMDH_MODP_1024 }, - { "ec2n155", IKEV2_XFORMDH_EC2N_155 }, - { "grp3", IKEV2_XFORMDH_EC2N_155 }, - { "ec2n185", IKEV2_XFORMDH_EC2N_185 }, - { "grp4", IKEV2_XFORMDH_EC2N_185 }, { "modp1536", IKEV2_XFORMDH_MODP_1536 }, { "grp5", IKEV2_XFORMDH_MODP_1536 }, { "modp2048", IKEV2_XFORMDH_MODP_2048 },
