* OpenBSD 3.1 SA 010: Receiving IKE payloads out of sequence can cause
isakmpd(8) to crash.
* A rewrite of the CRL support code, also from <Thomas.Walpuski@gmx.net>.
Some style mods, and checks added for OpenSSL version 0.9.7 or later.
Currently CRLs are not supported for earlier versions.
Manual pages updated.
* Handle configuration lines that end in whitespace or ^M.
Also avoid a potential memory leak.
* Start for support of IKECFG in SET/ACK mode. Server side only so far.
* Fix keyed HMAC where the key was longer than the blocksize
- Change DH group handling in the pre-generated parts of the
configuration. Add a -GRP{1,2,5} component to transform and suite
names to directly specify which group to use. If no group is
specified, use DH group 2 (MODP_1024). Earlier transforms and suites
using the MD5 hash defaulted to DH group 1, this is no longer true.
- Unbreak MD5 and SHA1 passphrases in policy check.
- Don't message_dump_raw() bad length messages, i.e too short.
- Fix a couple of snprintf length bugs.
- Compile without warnings for older/newer OpenSSL.
- str[n]{cpy,cat} -> strl{cpy,cat}, sprintf -> snprintf
- strftime format fixes
- Don't hang waiting for select() with SIGTERM + no active SA
- Add UI option 'R' to trigger isakmpd reinit (same as SIGHUP)
...
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/
key changes since 20010403:
- be more picky about isakmpd.policy permission
- debug: dump decoded IKE packets in pcap(3) format
- cert improvements
- RFC2367 compliance
- bug fixes: correct SA refcnt, memory alloc and doc fixes
(isakmpd-20010403.tar.gz is placed into ftp.netbsd.org LOCAL_PORTS directory).
major changes from source-changes@openbsd mailing list:
use the hash algorithm found in original certificate for the signature
after it has been patched. from angelos@
For the GETSPI PFKEY message, use the sequence number from the ACQUIRE
message.
Make DES a feature, so isakmpd can compile on Linux (most of the fixed
by newsham@lava.net)
x509 verified to work on NetBSD now
BROKEN variable. Unfortunately, no ChangeLog is available.
Patch system dependent make goo to use 'SSLBASE', mirroring it's use in
bsd.pkg.mk, rather than obsolete 'PATENTEDOPENSSLSRC'. Also, replace hard-
coded "/usr/pkg", replacing it with ${LOCALBASE}. Finally, set 'LOCALBASE'
and 'SSLBASE' conditionally within the package, for convenience.
RESTRICTED= variables that were predicated on former U.S. export
regulations. Add CRYPTO=, as necessary, so it's still possible to
exclude all crypto packages from a build by setting MKCRYPTO=no
(but "lintpkgsrc -R" will no longer catch them).
Specifically,
- - All packages which set USE_SSL just lose their RESTRICTED
variable, since MKCRYPTO responds to USE_SSL directly.
- - realplayer7 and ns-flash keep their RESTRICTED, which is based
on license terms, but also gain the CRYPTO variable.
- - srp-client is now marked broken, since the distfile is evidently
no longer available. On this, we're no worse off than before.
[We haven't been mirroring the distfile, or testing the build!]
- - isakmpd gets CRYPTO for RESTRICTED, but remains broken.
- - crack loses all restrictions, as it does not evidently empower
a user to utilize strong encryption (working definition: ability
to encode a message that requires a secret key plus big number
arithmetic to decode).
if you are tired of using racoon, you may want to try it.
(may not work as expected due to PF_KEY differences)
---
This is isakmpd, a BSD-licensed ISAKMP/Oakley (a.k.a. IKE)
implementation. It's written by Niklas Hallqvist and Niels Provos,
funded by Ericsson Radio Systems AB. Currently it is work in
progress, although it can be used for real setups. There are
releases, but this distribution is not a release and is not named with
ordinary version numbers. When you got the source, hopefully the
archive was named with a date which reflects when it was created.
These archives are also known as snapshots and will be created at
irregular intervals and put up on ftp.gsnig.net and ftp.appli.se in
/pub/isakmpd. From Nov 14, 1998 isakmpd is also available in the
OpenBSD main source tree under src/sbin/isakmpd, though slightly
modified because I don't want to carry support files for other OSes in
that distribution. Look at http://www.openbsd.org/ for details on how
to get OpenBSD source.
