parent
20a44a5c66
commit
f3bb1bd039
2
HACKING
2
HACKING
|
@ -9,7 +9,7 @@ For interested developers, we have a public repository. To check out and
|
||||||
compile the code, you need the following tools:
|
compile the code, you need the following tools:
|
||||||
|
|
||||||
- Git
|
- Git
|
||||||
- a recent GNU C complier (>= 3.x)
|
- a recent GNU C compiler (>= 3.x)
|
||||||
- automake
|
- automake
|
||||||
- autoconf
|
- autoconf
|
||||||
- libtool
|
- libtool
|
||||||
|
|
20
NEWS
20
NEWS
|
@ -520,7 +520,7 @@ strongswan-4.3.1
|
||||||
CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
|
CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
|
||||||
a missing TSi or TSr payload caused a null pointer derefence because the
|
a missing TSi or TSr payload caused a null pointer derefence because the
|
||||||
checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
|
checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
|
||||||
developped by the Orange Labs vulnerability research team. The tool was
|
developed by the Orange Labs vulnerability research team. The tool was
|
||||||
initially written by Gabriel Campana and is now maintained by Laurent Butti.
|
initially written by Gabriel Campana and is now maintained by Laurent Butti.
|
||||||
|
|
||||||
- Added support for AES counter mode in ESP in IKEv2 using the proposal
|
- Added support for AES counter mode in ESP in IKEv2 using the proposal
|
||||||
|
@ -560,7 +560,7 @@ strongswan-4.2.14
|
||||||
-----------------
|
-----------------
|
||||||
|
|
||||||
- The new server-side EAP RADIUS plugin (--enable-eap-radius)
|
- The new server-side EAP RADIUS plugin (--enable-eap-radius)
|
||||||
relays EAP messages to and from a RADIUS server. Succesfully
|
relays EAP messages to and from a RADIUS server. Successfully
|
||||||
tested with with a freeradius server using EAP-MD5 and EAP-SIM.
|
tested with with a freeradius server using EAP-MD5 and EAP-SIM.
|
||||||
|
|
||||||
- A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
|
- A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
|
||||||
|
@ -588,7 +588,7 @@ strongswan-4.2.13
|
||||||
- Fixed a use-after-free bug in the DPD timeout section of the
|
- Fixed a use-after-free bug in the DPD timeout section of the
|
||||||
IKEv1 pluto daemon which sporadically caused a segfault.
|
IKEv1 pluto daemon which sporadically caused a segfault.
|
||||||
|
|
||||||
- Fixed a crash in the IKEv2 charon daemon occuring with
|
- Fixed a crash in the IKEv2 charon daemon occurring with
|
||||||
mixed RAM-based and SQL-based virtual IP address pools.
|
mixed RAM-based and SQL-based virtual IP address pools.
|
||||||
|
|
||||||
- Fixed ASN.1 parsing of algorithmIdentifier objects where the
|
- Fixed ASN.1 parsing of algorithmIdentifier objects where the
|
||||||
|
@ -678,7 +678,7 @@ strongswan-4.2.9
|
||||||
The installpolicy=no option allows peaceful cooperation with a dominant
|
The installpolicy=no option allows peaceful cooperation with a dominant
|
||||||
mip6d daemon and the new type=transport_proxy implements the special MIPv6
|
mip6d daemon and the new type=transport_proxy implements the special MIPv6
|
||||||
IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
|
IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
|
||||||
but the IPsec SA is set up for the Home Adress.
|
but the IPsec SA is set up for the Home Address.
|
||||||
|
|
||||||
- Implemented migration of Mobile IPv6 connections using the KMADDRESS
|
- Implemented migration of Mobile IPv6 connections using the KMADDRESS
|
||||||
field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon
|
field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon
|
||||||
|
@ -841,7 +841,7 @@ strongswan-4.2.1
|
||||||
connection setups over new ones, where the value "replace" replaces existing
|
connection setups over new ones, where the value "replace" replaces existing
|
||||||
connections.
|
connections.
|
||||||
|
|
||||||
- The crypto factory in libstrongswan additionaly supports random number
|
- The crypto factory in libstrongswan additionally supports random number
|
||||||
generators, plugins may provide other sources of randomness. The default
|
generators, plugins may provide other sources of randomness. The default
|
||||||
plugin reads raw random data from /dev/(u)random.
|
plugin reads raw random data from /dev/(u)random.
|
||||||
|
|
||||||
|
@ -1115,7 +1115,7 @@ strongswan-4.1.3
|
||||||
is provided and more advanced backends (using e.g. a database) are trivial
|
is provided and more advanced backends (using e.g. a database) are trivial
|
||||||
to implement.
|
to implement.
|
||||||
|
|
||||||
- Fixed a compilation failure in libfreeswan occuring with Linux kernel
|
- Fixed a compilation failure in libfreeswan occurring with Linux kernel
|
||||||
headers > 2.6.17.
|
headers > 2.6.17.
|
||||||
|
|
||||||
|
|
||||||
|
@ -1426,7 +1426,7 @@ strongswan-2.7.0
|
||||||
the successful setup and teardown of an IPsec SA, respectively.
|
the successful setup and teardown of an IPsec SA, respectively.
|
||||||
left|rightfirwall can be used with KLIPS under any Linux 2.4
|
left|rightfirwall can be used with KLIPS under any Linux 2.4
|
||||||
kernel or with NETKEY under a Linux kernel version >= 2.6.16
|
kernel or with NETKEY under a Linux kernel version >= 2.6.16
|
||||||
in conjuction with iptables >= 1.3.5. For NETKEY under a Linux
|
in conjunction with iptables >= 1.3.5. For NETKEY under a Linux
|
||||||
kernel version < 2.6.16 which does not support IPsec policy
|
kernel version < 2.6.16 which does not support IPsec policy
|
||||||
matching yet, please continue to use a copy of the _updown_espmark
|
matching yet, please continue to use a copy of the _updown_espmark
|
||||||
template loaded via the left|rightupdown keyword.
|
template loaded via the left|rightupdown keyword.
|
||||||
|
@ -1932,7 +1932,7 @@ strongswan-2.2.2
|
||||||
and reduces the well-known four tunnel case on VPN gateways to
|
and reduces the well-known four tunnel case on VPN gateways to
|
||||||
a single tunnel definition (see README section 2.4).
|
a single tunnel definition (see README section 2.4).
|
||||||
|
|
||||||
- Fixed a bug occuring with NAT-Traversal enabled when the responder
|
- Fixed a bug occurring with NAT-Traversal enabled when the responder
|
||||||
suddenly turns initiator and the initiator cannot find a matching
|
suddenly turns initiator and the initiator cannot find a matching
|
||||||
connection because of the floated IKE port 4500.
|
connection because of the floated IKE port 4500.
|
||||||
|
|
||||||
|
@ -1948,11 +1948,11 @@ strongswan-2.2.1
|
||||||
- Introduced the ipsec auto --listalgs monitoring command which lists
|
- Introduced the ipsec auto --listalgs monitoring command which lists
|
||||||
all currently registered IKE and ESP algorithms.
|
all currently registered IKE and ESP algorithms.
|
||||||
|
|
||||||
- Fixed a bug in the ESP algorithm selection occuring when the strict flag
|
- Fixed a bug in the ESP algorithm selection occurring when the strict flag
|
||||||
is set and the first proposed transform does not match.
|
is set and the first proposed transform does not match.
|
||||||
|
|
||||||
- Fixed another deadlock in the use of the lock_certs_and_keys() mutex,
|
- Fixed another deadlock in the use of the lock_certs_and_keys() mutex,
|
||||||
occuring when a smartcard is present.
|
occurring when a smartcard is present.
|
||||||
|
|
||||||
- Prevented that a superseded Phase1 state can trigger a DPD_TIMEOUT event.
|
- Prevented that a superseded Phase1 state can trigger a DPD_TIMEOUT event.
|
||||||
|
|
||||||
|
|
6
README
6
README
|
@ -138,7 +138,7 @@ interoperability with the Check Point VPN-1 NG gateway.
|
||||||
|
|
||||||
In the following examples we assume for reasons of clarity that left designates
|
In the following examples we assume for reasons of clarity that left designates
|
||||||
the local host and that right is the remote host. Certificates for users, hosts
|
the local host and that right is the remote host. Certificates for users, hosts
|
||||||
and gateways are issued by a ficticious strongSwan CA. How to generate private keys
|
and gateways are issued by a fictitious strongSwan CA. How to generate private keys
|
||||||
and certificates using OpenSSL will be explained in section 3. The CA certificate
|
and certificates using OpenSSL will be explained in section 3. The CA certificate
|
||||||
"strongswanCert.pem" must be present on all VPN end points in order to be able to
|
"strongswanCert.pem" must be present on all VPN end points in order to be able to
|
||||||
authenticate the peers.
|
authenticate the peers.
|
||||||
|
@ -1959,7 +1959,7 @@ and the returned result might be a decrypted 128 bit AES key
|
||||||
000 8836362e030e6707c32ffaa0bdad5540
|
000 8836362e030e6707c32ffaa0bdad5540
|
||||||
|
|
||||||
The leading three characters represent the return code of the whack channel
|
The leading three characters represent the return code of the whack channel
|
||||||
with 000 signifying that no error has occured. Here is another example showing
|
with 000 signifying that no error has occurred. Here is another example showing
|
||||||
the use of the inbase and outbase attributes
|
the use of the inbase and outbase attributes
|
||||||
|
|
||||||
ipsec scdecrypt m/ewDnTs0k...woE= --inbase base64 --outbase text
|
ipsec scdecrypt m/ewDnTs0k...woE= --inbase base64 --outbase text
|
||||||
|
@ -2195,7 +2195,7 @@ The command
|
||||||
ipsec listpubkeys [--utc]
|
ipsec listpubkeys [--utc]
|
||||||
|
|
||||||
lists all public keys currently installed in the chained list of public
|
lists all public keys currently installed in the chained list of public
|
||||||
keys. These keys were statically loaded from ipsec.conf or aquired either
|
keys. These keys were statically loaded from ipsec.conf or acquired either
|
||||||
from received certificates or retrieved from secure DNS servers using
|
from received certificates or retrieved from secure DNS servers using
|
||||||
opportunistic mode.
|
opportunistic mode.
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@ new keying daemon, which is called #charon.
|
||||||
Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
|
Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
|
||||||
Charon uses another socket interface, called stroke. Stroke uses another
|
Charon uses another socket interface, called stroke. Stroke uses another
|
||||||
format as whack and therefore is not compatible to whack. The starter utility,
|
format as whack and therefore is not compatible to whack. The starter utility,
|
||||||
wich does fast configuration parsing, speaks both the protocols, whack and
|
which does fast configuration parsing, speaks both the protocols, whack and
|
||||||
stroke. It also handles daemon startup and termination.
|
stroke. It also handles daemon startup and termination.
|
||||||
Pluto uses starter for some commands, for other it uses the whack utility. To be
|
Pluto uses starter for some commands, for other it uses the whack utility. To be
|
||||||
as close to pluto as possible, charon has the same split up of commands to
|
as close to pluto as possible, charon has the same split up of commands to
|
||||||
|
@ -47,7 +47,7 @@ Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
|
||||||
500. Under Linux, there is no clean way to set up two sockets at the same port.
|
500. Under Linux, there is no clean way to set up two sockets at the same port.
|
||||||
To reslove this problem, charon uses a RAW socket, as they are used in network
|
To reslove this problem, charon uses a RAW socket, as they are used in network
|
||||||
sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
|
sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
|
||||||
traffic. Pluto receives any IKE message, independant of charons behavior.
|
traffic. Pluto receives any IKE message, independent of charons behavior.
|
||||||
Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
|
Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
|
||||||
|
|
||||||
To gain some reusability of the code, generic crypto and utility functions are
|
To gain some reusability of the code, generic crypto and utility functions are
|
||||||
|
|
|
@ -298,7 +298,7 @@ and
|
||||||
.B rightsubnet
|
.B rightsubnet
|
||||||
, a connection is established.
|
, a connection is established.
|
||||||
.B start
|
.B start
|
||||||
loads a connection and brings it up immediatly.
|
loads a connection and brings it up immediately.
|
||||||
.B ignore
|
.B ignore
|
||||||
ignores the connection. This is equal to delete a connection from the config
|
ignores the connection. This is equal to delete a connection from the config
|
||||||
file.
|
file.
|
||||||
|
@ -1172,7 +1172,7 @@ so a new (automatically-keyed) connection using the same ID is
|
||||||
almost invariably intended to replace an old one.
|
almost invariably intended to replace an old one.
|
||||||
The IKEv2 daemon also accepts the value
|
The IKEv2 daemon also accepts the value
|
||||||
.B replace
|
.B replace
|
||||||
wich is identical to
|
which is identical to
|
||||||
.B yes
|
.B yes
|
||||||
and the value
|
and the value
|
||||||
.B keep
|
.B keep
|
||||||
|
|
|
@ -110,11 +110,11 @@ binary-common:
|
||||||
dh_gencontrol
|
dh_gencontrol
|
||||||
dh_md5sums
|
dh_md5sums
|
||||||
dh_builddeb
|
dh_builddeb
|
||||||
# Build architecture independant packages using the common target.
|
# Build architecture independent packages using the common target.
|
||||||
binary-indep: build-indep install
|
binary-indep: build-indep install
|
||||||
$(MAKE) -f debian/rules DH_OPTIONS=-i binary-common
|
$(MAKE) -f debian/rules DH_OPTIONS=-i binary-common
|
||||||
|
|
||||||
# Build architecture dependant packages using the common target.
|
# Build architecture dependent packages using the common target.
|
||||||
binary-arch: build-arch install
|
binary-arch: build-arch install
|
||||||
$(MAKE) -f debian/rules DH_OPTIONS=-s binary-common
|
$(MAKE) -f debian/rules DH_OPTIONS=-s binary-common
|
||||||
|
|
||||||
|
|
|
@ -130,11 +130,11 @@ binary-common:
|
||||||
dh_md5sums
|
dh_md5sums
|
||||||
dh_builddeb
|
dh_builddeb
|
||||||
|
|
||||||
# Build architecture independant packages using the common target.
|
# Build architecture independent packages using the common target.
|
||||||
binary-indep: build-indep install
|
binary-indep: build-indep install
|
||||||
$(MAKE) -f debian/rules DH_OPTIONS=-i binary-common
|
$(MAKE) -f debian/rules DH_OPTIONS=-i binary-common
|
||||||
|
|
||||||
# Build architecture dependant packages using the common target.
|
# Build architecture dependent packages using the common target.
|
||||||
binary-arch: build-arch install
|
binary-arch: build-arch install
|
||||||
$(MAKE) -f debian/rules DH_OPTIONS=-s binary-common
|
$(MAKE) -f debian/rules DH_OPTIONS=-s binary-common
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,7 @@ Depends: strongswan-nm, strongswan-eap-gtc, strongswan-eap-md5, strongswan-eap-m
|
||||||
Description: network management framework (strongSwan plugin)
|
Description: network management framework (strongSwan plugin)
|
||||||
NetworkManager attempts to keep an active network connection available at
|
NetworkManager attempts to keep an active network connection available at
|
||||||
all times. It is intended primarily for laptops where it allows easy
|
all times. It is intended primarily for laptops where it allows easy
|
||||||
switching betwen local wireless networks, it's also useful on desktops
|
switching between local wireless networks, it's also useful on desktops
|
||||||
with a selection of different interfaces to use. It is not intended for
|
with a selection of different interfaces to use. It is not intended for
|
||||||
usage on servers.
|
usage on servers.
|
||||||
.
|
.
|
||||||
|
|
|
@ -89,7 +89,7 @@ msgstr ""
|
||||||
#: ../properties/nm-strongswan-dialog.glade.h:12
|
#: ../properties/nm-strongswan-dialog.glade.h:12
|
||||||
msgid ""
|
msgid ""
|
||||||
"IPComp compresses raw IP packets before they get encrypted. This saves some "
|
"IPComp compresses raw IP packets before they get encrypted. This saves some "
|
||||||
"bandwith, but uses more processing power."
|
"bandwidth, but uses more processing power."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"IPComp komprimiert IP-Pakete, bevor sie verschlüsselt werden. Diese Option "
|
"IPComp komprimiert IP-Pakete, bevor sie verschlüsselt werden. Diese Option "
|
||||||
"kann Bandbreite sparen, benötigt jedoch zusätzliche Rechenleistung."
|
"kann Bandbreite sparen, benötigt jedoch zusätzliche Rechenleistung."
|
||||||
|
|
|
@ -319,7 +319,7 @@
|
||||||
<property name="can_focus">True</property>
|
<property name="can_focus">True</property>
|
||||||
<property name="receives_default">False</property>
|
<property name="receives_default">False</property>
|
||||||
<property name="has_tooltip">True</property>
|
<property name="has_tooltip">True</property>
|
||||||
<property name="tooltip" translatable="yes">IPComp compresses raw IP packets before they get encrypted. This saves some bandwith, but uses more processing power.</property>
|
<property name="tooltip" translatable="yes">IPComp compresses raw IP packets before they get encrypted. This saves some bandwidth, but uses more processing power.</property>
|
||||||
<property name="use_underline">True</property>
|
<property name="use_underline">True</property>
|
||||||
<property name="draw_indicator">True</property>
|
<property name="draw_indicator">True</property>
|
||||||
</widget>
|
</widget>
|
||||||
|
|
|
@ -47,7 +47,7 @@ struct udp_sock {
|
||||||
unsigned int corkflag; /* Cork is required */
|
unsigned int corkflag; /* Cork is required */
|
||||||
__u16 encap_type; /* Is this an Encapsulation socket? */
|
__u16 encap_type; /* Is this an Encapsulation socket? */
|
||||||
/*
|
/*
|
||||||
* Following member retains the infomation to create a UDP header
|
* Following member retains the information to create a UDP header
|
||||||
* when the socket is uncorked.
|
* when the socket is uncorked.
|
||||||
*/
|
*/
|
||||||
__u16 len; /* total length of pending frames */
|
__u16 len; /* total length of pending frames */
|
||||||
|
|
|
@ -177,7 +177,7 @@ struct bus_t {
|
||||||
/**
|
/**
|
||||||
* Send a log message to the bus.
|
* Send a log message to the bus.
|
||||||
*
|
*
|
||||||
* The signal specifies the type of the event occured. The format string
|
* The signal specifies the type of the event occurred. The format string
|
||||||
* specifies an additional informational or error message with a
|
* specifies an additional informational or error message with a
|
||||||
* printf() like variable argument list.
|
* printf() like variable argument list.
|
||||||
* Use the DBG() macros.
|
* Use the DBG() macros.
|
||||||
|
|
|
@ -84,7 +84,7 @@ struct listener_t {
|
||||||
/**
|
/**
|
||||||
* Hook called for received/sent messages of an IKE_SA.
|
* Hook called for received/sent messages of an IKE_SA.
|
||||||
*
|
*
|
||||||
* @param ike_sa IKE_SA sending/receving a message
|
* @param ike_sa IKE_SA sending/receiving a message
|
||||||
* @param message message object
|
* @param message message object
|
||||||
* @param incoming TRUE for incoming messages, FALSE for outgoing
|
* @param incoming TRUE for incoming messages, FALSE for outgoing
|
||||||
* @return TRUE to stay registered, FALSE to unregister
|
* @return TRUE to stay registered, FALSE to unregister
|
||||||
|
|
|
@ -73,7 +73,7 @@ struct child_cfg_t {
|
||||||
* Add a proposal to the list.
|
* Add a proposal to the list.
|
||||||
*
|
*
|
||||||
* The proposals are stored by priority, first added
|
* The proposals are stored by priority, first added
|
||||||
* is the most prefered.
|
* is the most preferred.
|
||||||
* After add, proposal is owned by child_cfg.
|
* After add, proposal is owned by child_cfg.
|
||||||
*
|
*
|
||||||
* @param proposal proposal to add
|
* @param proposal proposal to add
|
||||||
|
@ -95,7 +95,7 @@ struct child_cfg_t {
|
||||||
*
|
*
|
||||||
* Returned propsal is newly created and must be destroyed after usage.
|
* Returned propsal is newly created and must be destroyed after usage.
|
||||||
*
|
*
|
||||||
* @param proposals list from from wich proposals are selected
|
* @param proposals list from which proposals are selected
|
||||||
* @param strip_dh TRUE strip out diffie hellman groups
|
* @param strip_dh TRUE strip out diffie hellman groups
|
||||||
* @param private accept algorithms from a private range
|
* @param private accept algorithms from a private range
|
||||||
* @return selected proposal, or NULL if nothing matches
|
* @return selected proposal, or NULL if nothing matches
|
||||||
|
|
|
@ -110,7 +110,7 @@ struct private_peer_cfg_t {
|
||||||
u_int32_t reauth_time;
|
u_int32_t reauth_time;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Time, which specifies the range of a random value substracted from above.
|
* Time, which specifies the range of a random value subtracted from above.
|
||||||
*/
|
*/
|
||||||
u_int32_t jitter_time;
|
u_int32_t jitter_time;
|
||||||
|
|
||||||
|
|
|
@ -110,7 +110,7 @@ extern enum_name_t *unique_policy_names;
|
||||||
* peer. Each config is enforced using the multiple authentication extension
|
* peer. Each config is enforced using the multiple authentication extension
|
||||||
* (RFC4739).
|
* (RFC4739).
|
||||||
* The remote authentication configs are handled as constraints. The peer has
|
* The remote authentication configs are handled as constraints. The peer has
|
||||||
* to fullfill each of these rules (using multiple authentication, in any order)
|
* to fulfill each of these rules (using multiple authentication, in any order)
|
||||||
* to gain access to the configuration.
|
* to gain access to the configuration.
|
||||||
*/
|
*/
|
||||||
struct peer_cfg_t {
|
struct peer_cfg_t {
|
||||||
|
@ -328,14 +328,14 @@ struct peer_cfg_t {
|
||||||
* (rekeylifetime - random(0, jitter)).
|
* (rekeylifetime - random(0, jitter)).
|
||||||
*
|
*
|
||||||
* @param name name of the peer_cfg
|
* @param name name of the peer_cfg
|
||||||
* @param ike_version which IKE version we sould use for this peer
|
* @param ike_version which IKE version we should use for this peer
|
||||||
* @param ike_cfg IKE config to use when acting as initiator
|
* @param ike_cfg IKE config to use when acting as initiator
|
||||||
* @param cert_policy should we send a certificate payload?
|
* @param cert_policy should we send a certificate payload?
|
||||||
* @param unique uniqueness of an IKE_SA
|
* @param unique uniqueness of an IKE_SA
|
||||||
* @param keyingtries how many keying tries should be done before giving up
|
* @param keyingtries how many keying tries should be done before giving up
|
||||||
* @param rekey_time timeout before starting rekeying
|
* @param rekey_time timeout before starting rekeying
|
||||||
* @param reauth_time timeout before starting reauthentication
|
* @param reauth_time timeout before starting reauthentication
|
||||||
* @param jitter_time timerange to randomly substract from rekey/reauth time
|
* @param jitter_time timerange to randomly subtract from rekey/reauth time
|
||||||
* @param over_time maximum overtime before closing a rekeying/reauth SA
|
* @param over_time maximum overtime before closing a rekeying/reauth SA
|
||||||
* @param mobike use MOBIKE (RFC4555) if peer supports it
|
* @param mobike use MOBIKE (RFC4555) if peer supports it
|
||||||
* @param dpd DPD check interval, 0 to disable
|
* @param dpd DPD check interval, 0 to disable
|
||||||
|
|
|
@ -120,7 +120,7 @@ struct proposal_t {
|
||||||
* compared. If they have at least one algorithm of each type
|
* compared. If they have at least one algorithm of each type
|
||||||
* in common, a resulting proposal of this kind is created.
|
* in common, a resulting proposal of this kind is created.
|
||||||
*
|
*
|
||||||
* @param other proposal to compair agains
|
* @param other proposal to compare against
|
||||||
* @param private accepts algorithms allocated in a private range
|
* @param private accepts algorithms allocated in a private range
|
||||||
* @return selected proposal, NULL if proposals don't match
|
* @return selected proposal, NULL if proposals don't match
|
||||||
*/
|
*/
|
||||||
|
@ -180,7 +180,7 @@ struct proposal_t {
|
||||||
*
|
*
|
||||||
* @param protocol protocol, such as PROTO_ESP
|
* @param protocol protocol, such as PROTO_ESP
|
||||||
* @param number proposal number, as encoded in SA payload
|
* @param number proposal number, as encoded in SA payload
|
||||||
* @return proposal_t object
|
* @return proposal_t object
|
||||||
*/
|
*/
|
||||||
proposal_t *proposal_create(protocol_id_t protocol, u_int number);
|
proposal_t *proposal_create(protocol_id_t protocol, u_int number);
|
||||||
|
|
||||||
|
@ -188,7 +188,7 @@ proposal_t *proposal_create(protocol_id_t protocol, u_int number);
|
||||||
* Create a default proposal if nothing further specified.
|
* Create a default proposal if nothing further specified.
|
||||||
*
|
*
|
||||||
* @param protocol protocol, such as PROTO_ESP
|
* @param protocol protocol, such as PROTO_ESP
|
||||||
* @return proposal_t object
|
* @return proposal_t object
|
||||||
*/
|
*/
|
||||||
proposal_t *proposal_create_default(protocol_id_t protocol);
|
proposal_t *proposal_create_default(protocol_id_t protocol);
|
||||||
|
|
||||||
|
@ -203,7 +203,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol);
|
||||||
*
|
*
|
||||||
* @param protocol protocol, such as PROTO_ESP
|
* @param protocol protocol, such as PROTO_ESP
|
||||||
* @param algs algorithms as string
|
* @param algs algorithms as string
|
||||||
* @return proposal_t object
|
* @return proposal_t object
|
||||||
*/
|
*/
|
||||||
proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs);
|
proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs);
|
||||||
|
|
||||||
|
|
|
@ -334,7 +334,7 @@ METHOD(controller_t, terminate_ike, status_t,
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
charon->bus->listen(charon->bus, &job.listener.public, &job.public);
|
charon->bus->listen(charon->bus, &job.listener.public, &job.public);
|
||||||
/* checkin of the ike_sa happend in the thread that executed the job */
|
/* checkin of the ike_sa happened in the thread that executed the job */
|
||||||
charon->bus->set_sa(charon->bus, NULL);
|
charon->bus->set_sa(charon->bus, NULL);
|
||||||
}
|
}
|
||||||
return job.listener.status;
|
return job.listener.status;
|
||||||
|
@ -425,7 +425,7 @@ METHOD(controller_t, terminate_child, status_t,
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
charon->bus->listen(charon->bus, &job.listener.public, &job.public);
|
charon->bus->listen(charon->bus, &job.listener.public, &job.public);
|
||||||
/* checkin of the ike_sa happend in the thread that executed the job */
|
/* checkin of the ike_sa happened in the thread that executed the job */
|
||||||
charon->bus->set_sa(charon->bus, NULL);
|
charon->bus->set_sa(charon->bus, NULL);
|
||||||
}
|
}
|
||||||
return job.listener.status;
|
return job.listener.status;
|
||||||
|
|
|
@ -63,13 +63,13 @@
|
||||||
typedef struct {
|
typedef struct {
|
||||||
/* Payload type */
|
/* Payload type */
|
||||||
payload_type_t type;
|
payload_type_t type;
|
||||||
/* Minimal occurence of this payload. */
|
/* Minimal occurrence of this payload. */
|
||||||
size_t min_occurence;
|
size_t min_occurence;
|
||||||
/* Max occurence of this payload. */
|
/* Max occurrence of this payload. */
|
||||||
size_t max_occurence;
|
size_t max_occurence;
|
||||||
/* TRUE if payload must be encrypted */
|
/* TRUE if payload must be encrypted */
|
||||||
bool encrypted;
|
bool encrypted;
|
||||||
/* If payload occurs, the message rule is fullfilled */
|
/* If payload occurs, the message rule is fulfilled */
|
||||||
bool sufficient;
|
bool sufficient;
|
||||||
} payload_rule_t;
|
} payload_rule_t;
|
||||||
|
|
||||||
|
@ -1405,7 +1405,7 @@ static status_t verify(private_message_t *this)
|
||||||
if (found > rule->max_occurence)
|
if (found > rule->max_occurence)
|
||||||
{
|
{
|
||||||
DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
|
DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
|
||||||
"occured in current message", payload_type_names,
|
"occurred in current message", payload_type_names,
|
||||||
type, rule->max_occurence, found);
|
type, rule->max_occurence, found);
|
||||||
enumerator->destroy(enumerator);
|
enumerator->destroy(enumerator);
|
||||||
return VERIFY_ERROR;
|
return VERIFY_ERROR;
|
||||||
|
@ -1416,7 +1416,7 @@ static status_t verify(private_message_t *this)
|
||||||
|
|
||||||
if (!complete && found < rule->min_occurence)
|
if (!complete && found < rule->min_occurence)
|
||||||
{
|
{
|
||||||
DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
|
DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
|
||||||
payload_type_names, rule->type, rule->min_occurence, found);
|
payload_type_names, rule->type, rule->min_occurence, found);
|
||||||
return VERIFY_ERROR;
|
return VERIFY_ERROR;
|
||||||
}
|
}
|
||||||
|
|
|
@ -321,7 +321,7 @@ struct message_t {
|
||||||
/**
|
/**
|
||||||
* Find a payload of a specific type.
|
* Find a payload of a specific type.
|
||||||
*
|
*
|
||||||
* Returns the first occurance.
|
* Returns the first occurrence.
|
||||||
*
|
*
|
||||||
* @param type type of the payload to find
|
* @param type type of the payload to find
|
||||||
* @return payload, or NULL if no such payload found
|
* @return payload, or NULL if no such payload found
|
||||||
|
|
|
@ -142,7 +142,7 @@ METHOD(payload_t, set_next_type, void,
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Compute the lenght of the whole payload
|
* Compute the length of the whole payload
|
||||||
*/
|
*/
|
||||||
static void compute_length(private_encryption_payload_t *this)
|
static void compute_length(private_encryption_payload_t *this)
|
||||||
{
|
{
|
||||||
|
|
|
@ -407,7 +407,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(
|
||||||
|
|
||||||
this = (private_proposal_substructure_t*)proposal_substructure_create();
|
this = (private_proposal_substructure_t*)proposal_substructure_create();
|
||||||
|
|
||||||
/* encryption algorithm is only availble in ESP */
|
/* encryption algorithm is only available in ESP */
|
||||||
enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
|
enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
|
||||||
while (enumerator->enumerate(enumerator, &alg, &key_size))
|
while (enumerator->enumerate(enumerator, &alg, &key_size))
|
||||||
{
|
{
|
||||||
|
|
|
@ -84,7 +84,7 @@ encoding_rule_t transform_substructure_encodings[] = {
|
||||||
{ U_INT_8, offsetof(private_transform_substructure_t, transform_type) },
|
{ U_INT_8, offsetof(private_transform_substructure_t, transform_type) },
|
||||||
/* 1 Reserved Byte */
|
/* 1 Reserved Byte */
|
||||||
{ RESERVED_BYTE, offsetof(private_transform_substructure_t, reserved[1]) },
|
{ RESERVED_BYTE, offsetof(private_transform_substructure_t, reserved[1]) },
|
||||||
/* tranform ID is a number of 8 bit */
|
/* transform ID is a number of 8 bit */
|
||||||
{ U_INT_16, offsetof(private_transform_substructure_t, transform_id) },
|
{ U_INT_16, offsetof(private_transform_substructure_t, transform_id) },
|
||||||
/* Attributes are stored in a transform attribute,
|
/* Attributes are stored in a transform attribute,
|
||||||
offset points to a linked_list_t pointer */
|
offset points to a linked_list_t pointer */
|
||||||
|
|
|
@ -118,7 +118,7 @@ transform_substructure_t *transform_substructure_create(void);
|
||||||
*
|
*
|
||||||
* @param type type of transform to create
|
* @param type type of transform to create
|
||||||
* @param id transform id specifc for the transform type
|
* @param id transform id specifc for the transform type
|
||||||
* @param key_length key length for key lenght attribute, 0 to omit
|
* @param key_length key length for key length attribute, 0 to omit
|
||||||
* @return transform_substructure_t object
|
* @return transform_substructure_t object
|
||||||
*/
|
*/
|
||||||
transform_substructure_t *transform_substructure_create_type(
|
transform_substructure_t *transform_substructure_create_type(
|
||||||
|
|
|
@ -30,7 +30,7 @@ typedef struct receiver_t receiver_t;
|
||||||
/**
|
/**
|
||||||
* Receives packets from the socket and adds them to the job queue.
|
* Receives packets from the socket and adds them to the job queue.
|
||||||
*
|
*
|
||||||
* The receiver starts a thread, wich reads on the blocking socket. A received
|
* The receiver starts a thread, which reads on the blocking socket. A received
|
||||||
* packet is preparsed and a process_message_job is queued in the job queue.
|
* packet is preparsed and a process_message_job is queued in the job queue.
|
||||||
*
|
*
|
||||||
* To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
|
* To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
|
||||||
|
@ -38,7 +38,7 @@ typedef struct receiver_t receiver_t;
|
||||||
* method in RFC4306. We do not include a nonce, because we think the advantage
|
* method in RFC4306. We do not include a nonce, because we think the advantage
|
||||||
* we gain does not justify the overhead to parse the whole message.
|
* we gain does not justify the overhead to parse the whole message.
|
||||||
* Instead of VersionIdOfSecret, we include a timestamp. This allows us to
|
* Instead of VersionIdOfSecret, we include a timestamp. This allows us to
|
||||||
* find out wich key was used for cookie creation. Further, we can set a
|
* find out which key was used for cookie creation. Further, we can set a
|
||||||
* lifetime for the cookie, which allows us to reuse the secret for a longer
|
* lifetime for the cookie, which allows us to reuse the secret for a longer
|
||||||
* time.
|
* time.
|
||||||
* COOKIE = time | sha1( IPi | SPIi | time | secret )
|
* COOKIE = time | sha1( IPi | SPIi | time | secret )
|
||||||
|
|
|
@ -52,7 +52,7 @@ METHOD(listener_t, log_, bool,
|
||||||
snprintf(sgroup, sizeof(sgroup), "%N", debug_names, group);
|
snprintf(sgroup, sizeof(sgroup), "%N", debug_names, group);
|
||||||
vsnprintf(buffer, sizeof(buffer), format, args);
|
vsnprintf(buffer, sizeof(buffer), format, args);
|
||||||
while (current)
|
while (current)
|
||||||
{ /* log each line seperately */
|
{ /* log each line separately */
|
||||||
next = strchr(current, '\n');
|
next = strchr(current, '\n');
|
||||||
if (next)
|
if (next)
|
||||||
{
|
{
|
||||||
|
|
|
@ -68,7 +68,7 @@ struct private_load_tester_plugin_t {
|
||||||
int initiators;
|
int initiators;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* currenly running initiators
|
* currently running initiators
|
||||||
*/
|
*/
|
||||||
int running;
|
int running;
|
||||||
|
|
||||||
|
|
|
@ -345,7 +345,7 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* schedule initation of all "active" connections
|
* schedule initiation of all "active" connections
|
||||||
*/
|
*/
|
||||||
static void schedule_autoinit(private_medcli_config_t *this)
|
static void schedule_autoinit(private_medcli_config_t *this)
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
|
||||||
<!-- strongSwan Managment Protocol (SMP) V1.0 -->
|
<!-- strongSwan Management Protocol (SMP) V1.0 -->
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
Copyright (C) 2007 Martin Willi
|
Copyright (C) 2007 Martin Willi
|
||||||
|
|
|
@ -871,7 +871,7 @@ METHOD(ike_sa_t, update_hosts, void,
|
||||||
|
|
||||||
if (!other->equals(other, this->other_host))
|
if (!other->equals(other, this->other_host))
|
||||||
{
|
{
|
||||||
/* update others adress if we are NOT NATed */
|
/* update others address if we are NOT NATed */
|
||||||
if (force || !has_condition(this, COND_NAT_HERE))
|
if (force || !has_condition(this, COND_NAT_HERE))
|
||||||
{
|
{
|
||||||
set_other_host(this, other->clone(other));
|
set_other_host(this, other->clone(other));
|
||||||
|
|
|
@ -689,7 +689,7 @@ struct ike_sa_t {
|
||||||
*
|
*
|
||||||
* Message processing may fail. If a critical failure occurs,
|
* Message processing may fail. If a critical failure occurs,
|
||||||
* process_message() return DESTROY_ME. Then the caller must
|
* process_message() return DESTROY_ME. Then the caller must
|
||||||
* destroy the IKE_SA immediatly, as it is unusable.
|
* destroy the IKE_SA immediately, as it is unusable.
|
||||||
*
|
*
|
||||||
* @param message message to process
|
* @param message message to process
|
||||||
* @return
|
* @return
|
||||||
|
|
|
@ -30,7 +30,7 @@ typedef struct ike_sa_id_t ike_sa_id_t;
|
||||||
* An object of type ike_sa_id_t is used to identify an IKE_SA.
|
* An object of type ike_sa_id_t is used to identify an IKE_SA.
|
||||||
*
|
*
|
||||||
* An IKE_SA is identified by its initiator and responder spi's.
|
* An IKE_SA is identified by its initiator and responder spi's.
|
||||||
* Additionaly it contains the role of the actual running IKEv2-Daemon
|
* Additionally it contains the role of the actual running IKEv2-Daemon
|
||||||
* for the specific IKE_SA (original initiator or responder).
|
* for the specific IKE_SA (original initiator or responder).
|
||||||
*/
|
*/
|
||||||
struct ike_sa_id_t {
|
struct ike_sa_id_t {
|
||||||
|
@ -40,28 +40,28 @@ struct ike_sa_id_t {
|
||||||
*
|
*
|
||||||
* This function is called when a request or reply of a IKE_SA_INIT is received.
|
* This function is called when a request or reply of a IKE_SA_INIT is received.
|
||||||
*
|
*
|
||||||
* @param responder_spi SPI of responder to set
|
* @param responder_spi SPI of responder to set
|
||||||
*/
|
*/
|
||||||
void (*set_responder_spi) (ike_sa_id_t *this, u_int64_t responder_spi);
|
void (*set_responder_spi) (ike_sa_id_t *this, u_int64_t responder_spi);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set the SPI of the initiator.
|
* Set the SPI of the initiator.
|
||||||
*
|
*
|
||||||
* @param initiator_spi SPI to set
|
* @param initiator_spi SPI to set
|
||||||
*/
|
*/
|
||||||
void (*set_initiator_spi) (ike_sa_id_t *this, u_int64_t initiator_spi);
|
void (*set_initiator_spi) (ike_sa_id_t *this, u_int64_t initiator_spi);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the initiator SPI.
|
* Get the initiator SPI.
|
||||||
*
|
*
|
||||||
* @return SPI of the initiator
|
* @return SPI of the initiator
|
||||||
*/
|
*/
|
||||||
u_int64_t (*get_initiator_spi) (ike_sa_id_t *this);
|
u_int64_t (*get_initiator_spi) (ike_sa_id_t *this);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the responder SPI.
|
* Get the responder SPI.
|
||||||
*
|
*
|
||||||
* @return SPI of the responder
|
* @return SPI of the responder
|
||||||
*/
|
*/
|
||||||
u_int64_t (*get_responder_spi) (ike_sa_id_t *this);
|
u_int64_t (*get_responder_spi) (ike_sa_id_t *this);
|
||||||
|
|
||||||
|
@ -70,8 +70,8 @@ struct ike_sa_id_t {
|
||||||
*
|
*
|
||||||
* Two ike_sa_id_t objects are equal if both SPI values and the role matches.
|
* Two ike_sa_id_t objects are equal if both SPI values and the role matches.
|
||||||
*
|
*
|
||||||
* @param other ike_sa_id_t object to check if equal
|
* @param other ike_sa_id_t object to check if equal
|
||||||
* @return TRUE if given ike_sa_id_t are equal, FALSE otherwise
|
* @return TRUE if given ike_sa_id_t are equal, FALSE otherwise
|
||||||
*/
|
*/
|
||||||
bool (*equals) (ike_sa_id_t *this, ike_sa_id_t *other);
|
bool (*equals) (ike_sa_id_t *this, ike_sa_id_t *other);
|
||||||
|
|
||||||
|
@ -81,28 +81,28 @@ struct ike_sa_id_t {
|
||||||
*
|
*
|
||||||
* After calling this function, both objects are equal.
|
* After calling this function, both objects are equal.
|
||||||
*
|
*
|
||||||
* @param other ike_sa_id_t object from which values will be taken
|
* @param other ike_sa_id_t object from which values will be taken
|
||||||
*/
|
*/
|
||||||
void (*replace_values) (ike_sa_id_t *this, ike_sa_id_t *other);
|
void (*replace_values) (ike_sa_id_t *this, ike_sa_id_t *other);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the initiator flag.
|
* Get the initiator flag.
|
||||||
*
|
*
|
||||||
* @return TRUE if we are the original initator
|
* @return TRUE if we are the original initator
|
||||||
*/
|
*/
|
||||||
bool (*is_initiator) (ike_sa_id_t *this);
|
bool (*is_initiator) (ike_sa_id_t *this);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Switche the original initiator flag.
|
* Switche the original initiator flag.
|
||||||
*
|
*
|
||||||
* @return TRUE if we are the original initator after switch, FALSE otherwise
|
* @return TRUE if we are the original initator after switch, FALSE otherwise
|
||||||
*/
|
*/
|
||||||
bool (*switch_initiator) (ike_sa_id_t *this);
|
bool (*switch_initiator) (ike_sa_id_t *this);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Clones a given ike_sa_id_t object.
|
* Clones a given ike_sa_id_t object.
|
||||||
*
|
*
|
||||||
* @return cloned ike_sa_id_t object
|
* @return cloned ike_sa_id_t object
|
||||||
*/
|
*/
|
||||||
ike_sa_id_t *(*clone) (ike_sa_id_t *this);
|
ike_sa_id_t *(*clone) (ike_sa_id_t *this);
|
||||||
|
|
||||||
|
|
|
@ -317,7 +317,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
|
||||||
if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
|
if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
|
||||||
{
|
{
|
||||||
/* establishing new child failed, reuse old. but not when we
|
/* establishing new child failed, reuse old. but not when we
|
||||||
* recieved a delete in the meantime */
|
* received a delete in the meantime */
|
||||||
if (!(this->collision &&
|
if (!(this->collision &&
|
||||||
this->collision->get_type(this->collision) == CHILD_DELETE))
|
this->collision->get_type(this->collision) == CHILD_DELETE))
|
||||||
{
|
{
|
||||||
|
|
|
@ -353,7 +353,7 @@ static status_t build_r(private_ike_natd_t *this, message_t *message)
|
||||||
notify_payload_t *notify;
|
notify_payload_t *notify;
|
||||||
host_t *me, *other;
|
host_t *me, *other;
|
||||||
|
|
||||||
/* only add notifies on successfull responses. */
|
/* only add notifies on successful responses. */
|
||||||
if (message->get_exchange_type(message) == IKE_SA_INIT &&
|
if (message->get_exchange_type(message) == IKE_SA_INIT &&
|
||||||
message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
|
message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
|
||||||
{
|
{
|
||||||
|
|
|
@ -89,7 +89,7 @@ extern enum_name_t *task_type_names;
|
||||||
* A responder does the opposite; it calls process() first to handle an incoming
|
* A responder does the opposite; it calls process() first to handle an incoming
|
||||||
* request and secondly calls build() to build an appropriate response.
|
* request and secondly calls build() to build an appropriate response.
|
||||||
* Both methods return either SUCCESS, NEED_MORE or FAILED. A SUCCESS indicates
|
* Both methods return either SUCCESS, NEED_MORE or FAILED. A SUCCESS indicates
|
||||||
* that the task completed, even when the task completed unsuccesfully. The
|
* that the task completed, even when the task completed unsuccessfully. The
|
||||||
* manager then removes the task from the list. A NEED_MORE is returned when
|
* manager then removes the task from the list. A NEED_MORE is returned when
|
||||||
* the task needs further build()/process() calls to complete, the manager
|
* the task needs further build()/process() calls to complete, the manager
|
||||||
* leaves the taks in the queue. A returned FAILED indicates a critical failure.
|
* leaves the taks in the queue. A returned FAILED indicates a critical failure.
|
||||||
|
@ -102,7 +102,7 @@ struct task_t {
|
||||||
*
|
*
|
||||||
* @param message message to add payloads to
|
* @param message message to add payloads to
|
||||||
* @return
|
* @return
|
||||||
* - FAILED if a critical error occured
|
* - FAILED if a critical error occurred
|
||||||
* - DESTROY_ME if IKE_SA has been properly deleted
|
* - DESTROY_ME if IKE_SA has been properly deleted
|
||||||
* - NEED_MORE if another call to build/process needed
|
* - NEED_MORE if another call to build/process needed
|
||||||
* - SUCCESS if task completed
|
* - SUCCESS if task completed
|
||||||
|
@ -114,7 +114,7 @@ struct task_t {
|
||||||
*
|
*
|
||||||
* @param message message to read payloads from
|
* @param message message to read payloads from
|
||||||
* @return
|
* @return
|
||||||
* - FAILED if a critical error occured
|
* - FAILED if a critical error occurred
|
||||||
* - DESTROY_ME if IKE_SA has been properly deleted
|
* - DESTROY_ME if IKE_SA has been properly deleted
|
||||||
* - NEED_MORE if another call to build/process needed
|
* - NEED_MORE if another call to build/process needed
|
||||||
* - SUCCESS if task completed
|
* - SUCCESS if task completed
|
||||||
|
|
|
@ -84,7 +84,7 @@ struct kernel_listener_t {
|
||||||
policy_dir_t direction, host_t *local, host_t *remote);
|
policy_dir_t direction, host_t *local, host_t *remote);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Hook called if changes in the networking layer occured (interfaces
|
* Hook called if changes in the networking layer occurred (interfaces
|
||||||
* up/down, routes added/deleted etc.).
|
* up/down, routes added/deleted etc.).
|
||||||
*
|
*
|
||||||
* @param address TRUE if address list, FALSE if routing changed
|
* @param address TRUE if address list, FALSE if routing changed
|
||||||
|
|
|
@ -2507,7 +2507,7 @@ static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Register a socket for AQUIRE/EXPIRE messages
|
* Register a socket for ACQUIRE/EXPIRE messages
|
||||||
*/
|
*/
|
||||||
static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype)
|
static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype)
|
||||||
{
|
{
|
||||||
|
|
|
@ -2327,7 +2327,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Register a socket for AQUIRE/EXPIRE messages
|
* Register a socket for ACQUIRE/EXPIRE messages
|
||||||
*/
|
*/
|
||||||
static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
|
static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
|
||||||
u_int8_t satype)
|
u_int8_t satype)
|
||||||
|
|
|
@ -57,7 +57,7 @@ chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Decribed in header.
|
* Described in header.
|
||||||
*/
|
*/
|
||||||
size_t chunk_length(const char* mode, ...)
|
size_t chunk_length(const char* mode, ...)
|
||||||
{
|
{
|
||||||
|
@ -87,7 +87,7 @@ size_t chunk_length(const char* mode, ...)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Decribed in header.
|
* Described in header.
|
||||||
*/
|
*/
|
||||||
chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
|
chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
|
||||||
{
|
{
|
||||||
|
@ -133,7 +133,7 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Decribed in header.
|
* Described in header.
|
||||||
*/
|
*/
|
||||||
void chunk_split(chunk_t chunk, const char *mode, ...)
|
void chunk_split(chunk_t chunk, const char *mode, ...)
|
||||||
{
|
{
|
||||||
|
@ -313,7 +313,7 @@ chunk_t chunk_from_hex(chunk_t hex, char *buf)
|
||||||
/* subtract the number of optional ':' separation characters */
|
/* subtract the number of optional ':' separation characters */
|
||||||
len = hex.len;
|
len = hex.len;
|
||||||
ptr = hex.ptr;
|
ptr = hex.ptr;
|
||||||
for (i = 0; i < hex.len; i++)
|
for (i = 0; i < hex.len; i++)
|
||||||
{
|
{
|
||||||
if (*ptr++ == ':')
|
if (*ptr++ == ':')
|
||||||
{
|
{
|
||||||
|
|
|
@ -254,7 +254,7 @@ static inline bool chunk_equals(chunk_t a, chunk_t b)
|
||||||
* Increment a chunk, as it would reprensent a network order integer.
|
* Increment a chunk, as it would reprensent a network order integer.
|
||||||
*
|
*
|
||||||
* @param chunk chunk to increment
|
* @param chunk chunk to increment
|
||||||
* @return TRUE if an overflow occured
|
* @return TRUE if an overflow occurred
|
||||||
*/
|
*/
|
||||||
bool chunk_increment(chunk_t chunk);
|
bool chunk_increment(chunk_t chunk);
|
||||||
|
|
||||||
|
|
|
@ -31,7 +31,7 @@ typedef enum auth_class_t auth_class_t;
|
||||||
/**
|
/**
|
||||||
* Class of authentication to use. This is different to auth_method_t in that
|
* Class of authentication to use. This is different to auth_method_t in that
|
||||||
* it does not specify a method, but a class of acceptable methods. The found
|
* it does not specify a method, but a class of acceptable methods. The found
|
||||||
* certificate finally dictates wich method is used.
|
* certificate finally dictates which method is used.
|
||||||
*/
|
*/
|
||||||
enum auth_class_t {
|
enum auth_class_t {
|
||||||
/** any class acceptable */
|
/** any class acceptable */
|
||||||
|
@ -57,7 +57,7 @@ extern enum_name_t *auth_class_names;
|
||||||
* - For configs specifying local authentication behavior, the rules define
|
* - For configs specifying local authentication behavior, the rules define
|
||||||
* which authentication method in which way.
|
* which authentication method in which way.
|
||||||
* - For configs specifying remote peer authentication, the rules define
|
* - For configs specifying remote peer authentication, the rules define
|
||||||
* constraints the peer has to fullfill.
|
* constraints the peer has to fulfill.
|
||||||
*
|
*
|
||||||
* Additionally to the rules, there is a set of helper items. These are used
|
* Additionally to the rules, there is a set of helper items. These are used
|
||||||
* to transport credentials during the authentication process.
|
* to transport credentials during the authentication process.
|
||||||
|
|
|
@ -176,7 +176,7 @@ struct certificate_t {
|
||||||
/**
|
/**
|
||||||
* Check if two certificates are equal.
|
* Check if two certificates are equal.
|
||||||
*
|
*
|
||||||
* @param other certificate to compair against this
|
* @param other certificate to compare against this
|
||||||
* @return TRUE if certificates are equal
|
* @return TRUE if certificates are equal
|
||||||
*/
|
*/
|
||||||
bool (*equals)(certificate_t *this, certificate_t *other);
|
bool (*equals)(certificate_t *this, certificate_t *other);
|
||||||
|
|
|
@ -111,7 +111,7 @@ struct aead_t {
|
||||||
* Create a aead instance using traditional transforms.
|
* Create a aead instance using traditional transforms.
|
||||||
*
|
*
|
||||||
* @param crypter encryption transform for this aead
|
* @param crypter encryption transform for this aead
|
||||||
* @param signer integrity tranform for this aead
|
* @param signer integrity transform for this aead
|
||||||
* @return aead transform
|
* @return aead transform
|
||||||
*/
|
*/
|
||||||
aead_t *aead_create(crypter_t *crypter, signer_t *signer);
|
aead_t *aead_create(crypter_t *crypter, signer_t *signer);
|
||||||
|
|
|
@ -37,7 +37,7 @@ SUCH DAMAGE.
|
||||||
|
|
||||||
The license and distribution terms for any publically available version or
|
The license and distribution terms for any publically available version or
|
||||||
derivative of this code cannot be changed. i.e. this code cannot simply be
|
derivative of this code cannot be changed. i.e. this code cannot simply be
|
||||||
copied and put under another distrubution license
|
copied and put under another distribution license
|
||||||
[including the GNU Public License.]
|
[including the GNU Public License.]
|
||||||
|
|
||||||
The reason behind this being stated in this direct manner is past
|
The reason behind this being stated in this direct manner is past
|
||||||
|
|
|
@ -67,7 +67,7 @@ typedef struct __attribute__((packed)) {
|
||||||
u_char salt[SALT_SIZE];
|
u_char salt[SALT_SIZE];
|
||||||
u_char iv[IV_SIZE];
|
u_char iv[IV_SIZE];
|
||||||
} nonce;
|
} nonce;
|
||||||
/* lenght of plain text, q */
|
/* length of plain text, q */
|
||||||
u_char q[Q_SIZE];
|
u_char q[Q_SIZE];
|
||||||
} b0_t;
|
} b0_t;
|
||||||
|
|
||||||
|
|
|
@ -80,7 +80,7 @@ struct private_des_crypter_t {
|
||||||
des_crypter_t public;
|
des_crypter_t public;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Key size, depends on algoritm...
|
* Key size, depends on algorithm...
|
||||||
*/
|
*/
|
||||||
size_t key_size;
|
size_t key_size;
|
||||||
|
|
||||||
|
@ -127,7 +127,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Unroll the inner loop, this sometimes helps, sometimes hinders.
|
/* Unroll the inner loop, this sometimes helps, sometimes hinders.
|
||||||
* Very mucy CPU dependant */
|
* Very much CPU dependent */
|
||||||
#ifndef DES_UNROLL
|
#ifndef DES_UNROLL
|
||||||
#define DES_UNROLL
|
#define DES_UNROLL
|
||||||
#endif
|
#endif
|
||||||
|
@ -316,7 +316,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
|
||||||
* bytes, probably an issue of accessing non-word aligned objects :-( */
|
* bytes, probably an issue of accessing non-word aligned objects :-( */
|
||||||
#ifdef DES_PTR
|
#ifdef DES_PTR
|
||||||
|
|
||||||
/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there
|
/* It recently occurred to me that 0^0^0^0^0^0^0 == 0, so there
|
||||||
* is no reason to not xor all the sub items together. This potentially
|
* is no reason to not xor all the sub items together. This potentially
|
||||||
* saves a register since things can be xored directly into L */
|
* saves a register since things can be xored directly into L */
|
||||||
|
|
||||||
|
|
|
@ -68,7 +68,7 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key)
|
||||||
if (key)
|
if (key)
|
||||||
{
|
{
|
||||||
/* gcrypt might return more bytes than necessary. Truncate
|
/* gcrypt might return more bytes than necessary. Truncate
|
||||||
* to key lenght if key given, or prepend zeros if needed */
|
* to key length if key given, or prepend zeros if needed */
|
||||||
len = gcry_pk_get_nbits(key);
|
len = gcry_pk_get_nbits(key);
|
||||||
len = len / 8 + (len % 8 ? 1 : 0);
|
len = len / 8 + (len % 8 ? 1 : 0);
|
||||||
if (len > data.len)
|
if (len > data.len)
|
||||||
|
|
|
@ -30,7 +30,7 @@ typedef struct hmac_t hmac_t;
|
||||||
* Message authentication using hash functions.
|
* Message authentication using hash functions.
|
||||||
*
|
*
|
||||||
* This class implements the message authenticaion algorithm
|
* This class implements the message authenticaion algorithm
|
||||||
* described in RFC2104. It uses a hash function, wich must
|
* described in RFC2104. It uses a hash function, which must
|
||||||
* be implemented as a hasher_t class.
|
* be implemented as a hasher_t class.
|
||||||
*/
|
*/
|
||||||
struct hmac_t {
|
struct hmac_t {
|
||||||
|
|
|
@ -495,7 +495,7 @@ typedef struct {
|
||||||
CK_SESSION_HANDLE session;
|
CK_SESSION_HANDLE session;
|
||||||
/* pkcs11 library */
|
/* pkcs11 library */
|
||||||
pkcs11_library_t *lib;
|
pkcs11_library_t *lib;
|
||||||
/* attributes to retreive */
|
/* attributes to retrieve */
|
||||||
CK_ATTRIBUTE_PTR attr;
|
CK_ATTRIBUTE_PTR attr;
|
||||||
/* number of attributes */
|
/* number of attributes */
|
||||||
CK_ULONG count;
|
CK_ULONG count;
|
||||||
|
|
|
@ -32,7 +32,7 @@ typedef struct pkcs11_manager_t pkcs11_manager_t;
|
||||||
*
|
*
|
||||||
* @param data user supplied data, as passed to pkcs11_manager_create()
|
* @param data user supplied data, as passed to pkcs11_manager_create()
|
||||||
* @param p11 loaded PKCS#11 library token belongs to
|
* @param p11 loaded PKCS#11 library token belongs to
|
||||||
* @param slot slot number the event occured in
|
* @param slot slot number the event occurred in
|
||||||
* @param add TRUE if token was added to the slot, FALSE if removed
|
* @param add TRUE if token was added to the slot, FALSE if removed
|
||||||
*/
|
*/
|
||||||
typedef void (*pkcs11_manager_token_event_t)(void *data, pkcs11_library_t *p11,
|
typedef void (*pkcs11_manager_token_event_t)(void *data, pkcs11_library_t *p11,
|
||||||
|
|
|
@ -52,7 +52,7 @@ struct plugin_t {
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Plugin constructor function definiton.
|
* Plugin constructor function definition.
|
||||||
*
|
*
|
||||||
* Each plugin has a constructor function. This function is called on daemon
|
* Each plugin has a constructor function. This function is called on daemon
|
||||||
* startup to initialize each plugin.
|
* startup to initialize each plugin.
|
||||||
|
|
|
@ -62,7 +62,7 @@ struct private_callback_job_t {
|
||||||
mutex_t *mutex;
|
mutex_t *mutex;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* list of asociated child jobs
|
* list of associated child jobs
|
||||||
*/
|
*/
|
||||||
linked_list_t *children;
|
linked_list_t *children;
|
||||||
|
|
||||||
|
|
|
@ -35,7 +35,7 @@ typedef struct scheduler_t scheduler_t;
|
||||||
* based data structure that satisfies the following property: if B is a child
|
* based data structure that satisfies the following property: if B is a child
|
||||||
* node of A, then key(A) >= (or <=) key(B). So either the element with the
|
* node of A, then key(A) >= (or <=) key(B). So either the element with the
|
||||||
* greatest (max-heap) or the smallest (min-heap) key is the root of the heap.
|
* greatest (max-heap) or the smallest (min-heap) key is the root of the heap.
|
||||||
* We use a min-heap whith the key being the absolute unix time at which an
|
* We use a min-heap with the key being the absolute unix time at which an
|
||||||
* event is scheduled. So the root is always the event that will fire next.
|
* event is scheduled. So the root is always the event that will fire next.
|
||||||
*
|
*
|
||||||
* An earlier implementation of the scheduler used a sorted linked list to store
|
* An earlier implementation of the scheduler used a sorted linked list to store
|
||||||
|
|
|
@ -110,7 +110,7 @@ u_int32_t settings_value_as_time(char *value, u_int32_t def);
|
||||||
* already existing values are replaced.
|
* already existing values are replaced.
|
||||||
*
|
*
|
||||||
* All settings included from files are added relative to the section the
|
* All settings included from files are added relative to the section the
|
||||||
* include statment is in.
|
* include statement is in.
|
||||||
*
|
*
|
||||||
* The following files result in the same final config as above:
|
* The following files result in the same final config as above:
|
||||||
*
|
*
|
||||||
|
|
|
@ -36,7 +36,7 @@ struct enumerator_t {
|
||||||
* The enumerate function takes a variable argument list containing
|
* The enumerate function takes a variable argument list containing
|
||||||
* pointers where the enumerated values get written.
|
* pointers where the enumerated values get written.
|
||||||
*
|
*
|
||||||
* @param ... variable list of enumerated items, implementation dependant
|
* @param ... variable list of enumerated items, implementation dependent
|
||||||
* @return TRUE if pointers returned
|
* @return TRUE if pointers returned
|
||||||
*/
|
*/
|
||||||
bool (*enumerate)(enumerator_t *this, ...);
|
bool (*enumerate)(enumerator_t *this, ...);
|
||||||
|
|
|
@ -40,7 +40,7 @@ struct private_host_t {
|
||||||
host_t public;
|
host_t public;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* low-lewel structure, wich stores the address
|
* low-lewel structure, which stores the address
|
||||||
*/
|
*/
|
||||||
union {
|
union {
|
||||||
/** generic type */
|
/** generic type */
|
||||||
|
|
|
@ -293,7 +293,7 @@ struct identification_t {
|
||||||
*
|
*
|
||||||
* In favour of pluto, domainnames are prepended with an @, since
|
* In favour of pluto, domainnames are prepended with an @, since
|
||||||
* pluto resolves domainnames without an @ to IPv4 addresses. Since
|
* pluto resolves domainnames without an @ to IPv4 addresses. Since
|
||||||
* we use a seperate host_t class for addresses, this doesn't
|
* we use a separate host_t class for addresses, this doesn't
|
||||||
* make sense for us.
|
* make sense for us.
|
||||||
*
|
*
|
||||||
* A distinguished name may contain one or more of the following RDNs:
|
* A distinguished name may contain one or more of the following RDNs:
|
||||||
|
|
|
@ -98,7 +98,7 @@ struct tls_alert_t {
|
||||||
/**
|
/**
|
||||||
* Did a fatal alert occur?.
|
* Did a fatal alert occur?.
|
||||||
*
|
*
|
||||||
* @return TRUE if a fatal alert has occured
|
* @return TRUE if a fatal alert has occurred
|
||||||
*/
|
*/
|
||||||
bool (*fatal)(tls_alert_t *this);
|
bool (*fatal)(tls_alert_t *this);
|
||||||
|
|
||||||
|
|
|
@ -603,7 +603,7 @@ static suite_algs_t suite_algs[] = {
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Look up algoritms by a suite
|
* Look up algorithms by a suite
|
||||||
*/
|
*/
|
||||||
static suite_algs_t *find_suite(tls_cipher_suite_t suite)
|
static suite_algs_t *find_suite(tls_cipher_suite_t suite)
|
||||||
{
|
{
|
||||||
|
|
|
@ -242,7 +242,7 @@ METHOD(tls_fragmentation_t, process, status_t,
|
||||||
{
|
{
|
||||||
case ALERT_SENDING:
|
case ALERT_SENDING:
|
||||||
case ALERT_SENT:
|
case ALERT_SENT:
|
||||||
/* don't accept more input, fatal error ocurred */
|
/* don't accept more input, fatal error occurred */
|
||||||
return NEED_MORE;
|
return NEED_MORE;
|
||||||
case ALERT_NONE:
|
case ALERT_NONE:
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -112,7 +112,7 @@ METHOD(tls_protection_t, process, status_t,
|
||||||
private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
|
private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
|
||||||
{
|
{
|
||||||
if (this->alert->fatal(this->alert))
|
if (this->alert->fatal(this->alert))
|
||||||
{ /* don't accept more input, fatal error ocurred */
|
{ /* don't accept more input, fatal error occurred */
|
||||||
return NEED_MORE;
|
return NEED_MORE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -2110,7 +2110,7 @@ var jsc = (new Date).getTime();
|
||||||
|
|
||||||
jQuery.extend({
|
jQuery.extend({
|
||||||
get: function( url, data, callback, type ) {
|
get: function( url, data, callback, type ) {
|
||||||
// shift arguments if data argument was ommited
|
// shift arguments if data argument was omitted
|
||||||
if ( jQuery.isFunction( data ) ) {
|
if ( jQuery.isFunction( data ) ) {
|
||||||
callback = data;
|
callback = data;
|
||||||
data = null;
|
data = null;
|
||||||
|
|
|
@ -44,7 +44,7 @@ struct private_user_controller_t {
|
||||||
user_t *user;
|
user_t *user;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* minimum required password lenght
|
* minimum required password length
|
||||||
*/
|
*/
|
||||||
u_int password_length;
|
u_int password_length;
|
||||||
};
|
};
|
||||||
|
|
|
@ -658,7 +658,7 @@ extern const char *prettypolicy(lset_t policy);
|
||||||
#define POLICY_COMPRESS LELEM(4) /* must be third */
|
#define POLICY_COMPRESS LELEM(4) /* must be third */
|
||||||
#define POLICY_TUNNEL LELEM(5)
|
#define POLICY_TUNNEL LELEM(5)
|
||||||
#define POLICY_PFS LELEM(6)
|
#define POLICY_PFS LELEM(6)
|
||||||
#define POLICY_DISABLEARRIVALCHECK LELEM(7) /* supress tunnel egress address checking */
|
#define POLICY_DISABLEARRIVALCHECK LELEM(7) /* suppress tunnel egress address checking */
|
||||||
|
|
||||||
#define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */
|
#define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */
|
||||||
#define POLICY_IPSEC_MASK LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
|
#define POLICY_IPSEC_MASK LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
|
||||||
|
|
|
@ -544,7 +544,7 @@ init_demux(void)
|
||||||
* - ip(7) describes IP_RECVERR
|
* - ip(7) describes IP_RECVERR
|
||||||
* - recvmsg(2) describes MSG_ERRQUEUE
|
* - recvmsg(2) describes MSG_ERRQUEUE
|
||||||
* - readv(2) describes iovec
|
* - readv(2) describes iovec
|
||||||
* - cmsg(3) describes how to process auxilliary messages
|
* - cmsg(3) describes how to process auxiliary messages
|
||||||
*
|
*
|
||||||
* ??? we should link this message with one we've sent
|
* ??? we should link this message with one we've sent
|
||||||
* so that the diagnostic can refer to that negotiation.
|
* so that the diagnostic can refer to that negotiation.
|
||||||
|
@ -1580,7 +1580,7 @@ process_packet(struct msg_digest **mdp)
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* okay, now we have to figure out if we are receiving a bogus
|
* okay, now we have to figure out if we are receiving a bogus
|
||||||
* new message in an oustanding XAUTH server conversation
|
* new message in an outstanding XAUTH server conversation
|
||||||
* (i.e. a reply to our challenge)
|
* (i.e. a reply to our challenge)
|
||||||
* (this occurs with some broken other implementations).
|
* (this occurs with some broken other implementations).
|
||||||
*
|
*
|
||||||
|
|
|
@ -205,7 +205,7 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* key_len passed comes from esp_attrs read from peer
|
* key_len passed comes from esp_attrs read from peer
|
||||||
* For many older algoritms (eg 3DES) this key_len is fixed
|
* For many older algorithms (eg 3DES) this key_len is fixed
|
||||||
* and get passed as 0.
|
* and get passed as 0.
|
||||||
* ... then get default key_len
|
* ... then get default key_len
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -22,7 +22,7 @@ struct file_lex_position
|
||||||
int lino; /* line number in file */
|
int lino; /* line number in file */
|
||||||
char buffer[MAX_TOK_LEN + 1]; /* note: one extra char for our use (jamming '"') */
|
char buffer[MAX_TOK_LEN + 1]; /* note: one extra char for our use (jamming '"') */
|
||||||
char *cur; /* cursor */
|
char *cur; /* cursor */
|
||||||
char under; /* except in shift(): character orignally at *cur */
|
char under; /* except in shift(): character originally at *cur */
|
||||||
struct file_lex_position *previous;
|
struct file_lex_position *previous;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -232,7 +232,7 @@ void nat_traversal_natd_lookup(struct msg_digest *md)
|
||||||
if (i < 2)
|
if (i < 2)
|
||||||
{
|
{
|
||||||
loglog(RC_LOG_SERIOUS,
|
loglog(RC_LOG_SERIOUS,
|
||||||
"NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negociation", i);
|
"NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negotiation", i);
|
||||||
st->nat_traversal = 0;
|
st->nat_traversal = 0;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1437,7 +1437,7 @@ Phase 1.
|
||||||
\fBPluto\fP responds to \fBSIGHUP\fP by issuing a suggestion that ``\fBwhack\fP
|
\fBPluto\fP responds to \fBSIGHUP\fP by issuing a suggestion that ``\fBwhack\fP
|
||||||
\-\-listen'' might have been intended.
|
\-\-listen'' might have been intended.
|
||||||
.LP
|
.LP
|
||||||
\fBPluto\fP exits when it recieves \fBSIGTERM\fP.
|
\fBPluto\fP exits when it receives \fBSIGTERM\fP.
|
||||||
.SH EXIT STATUS
|
.SH EXIT STATUS
|
||||||
.LP
|
.LP
|
||||||
\fBpluto\fP normally forks a daemon process, so the exit status is
|
\fBpluto\fP normally forks a daemon process, so the exit status is
|
||||||
|
@ -1558,7 +1558,7 @@ There is no good way for a connection to be automatically terminated.
|
||||||
This is a problem for Road Warrior and Opportunistic connections.
|
This is a problem for Road Warrior and Opportunistic connections.
|
||||||
The \fB\-\-dontrekey\fP option does prevent the SAs from
|
The \fB\-\-dontrekey\fP option does prevent the SAs from
|
||||||
being rekeyed on expiry.
|
being rekeyed on expiry.
|
||||||
Additonally, if a Road Warrior connection has a client subnet with a fixed IP
|
Additionally, if a Road Warrior connection has a client subnet with a fixed IP
|
||||||
address, a negotiation with that subnet will cause any other
|
address, a negotiation with that subnet will cause any other
|
||||||
connection instantiations with that same subnet to be unoriented
|
connection instantiations with that same subnet to be unoriented
|
||||||
(deleted, in effect).
|
(deleted, in effect).
|
||||||
|
|
|
@ -282,7 +282,7 @@ void whack_handle(int whackctlfd)
|
||||||
{
|
{
|
||||||
if (msg.magic == WHACK_BASIC_MAGIC)
|
if (msg.magic == WHACK_BASIC_MAGIC)
|
||||||
{
|
{
|
||||||
/* Only shutdown command. Simpler inter-version compatability. */
|
/* Only shutdown command. Simpler inter-version compatibility. */
|
||||||
if (msg.whack_shutdown)
|
if (msg.whack_shutdown)
|
||||||
{
|
{
|
||||||
plog("shutting down");
|
plog("shutting down");
|
||||||
|
|
|
@ -1300,7 +1300,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
||||||
* proposal is emitted into it.
|
* proposal is emitted into it.
|
||||||
*
|
*
|
||||||
* If "selection" is true, the SA is supposed to represent the
|
* If "selection" is true, the SA is supposed to represent the
|
||||||
* single tranform that the peer has accepted.
|
* single transform that the peer has accepted.
|
||||||
* ??? We only check that it is acceptable, not that it is one that we offered!
|
* ??? We only check that it is acceptable, not that it is one that we offered!
|
||||||
*
|
*
|
||||||
* Only IPsec DOI is accepted (what is the ISAKMP DOI?).
|
* Only IPsec DOI is accepted (what is the ISAKMP DOI?).
|
||||||
|
|
|
@ -100,7 +100,7 @@ extern notification_t parse_ipsec_sa_body(
|
||||||
pb_stream *sa_pbs, /* body of input SA Payload */
|
pb_stream *sa_pbs, /* body of input SA Payload */
|
||||||
const struct isakmp_sa *sa, /* header of input SA Payload */
|
const struct isakmp_sa *sa, /* header of input SA Payload */
|
||||||
pb_stream *r_sa_pbs, /* if non-NULL, where to emit winning SA */
|
pb_stream *r_sa_pbs, /* if non-NULL, where to emit winning SA */
|
||||||
bool selection, /* if this SA is a selection, only one tranform can appear */
|
bool selection, /* if this SA is a selection, only one transform can appear */
|
||||||
struct state *st); /* current state object */
|
struct state *st); /* current state object */
|
||||||
|
|
||||||
extern void backup_pbs(pb_stream *pbs);
|
extern void backup_pbs(pb_stream *pbs);
|
||||||
|
|
|
@ -216,7 +216,7 @@ struct state *state_with_serialno(so_serial_t sn)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Insert a state object in the hash table. The object is inserted
|
/* Insert a state object in the hash table. The object is inserted
|
||||||
* at the begining of list.
|
* at the beginning of list.
|
||||||
* Needs cookies, connection, and msgid.
|
* Needs cookies, connection, and msgid.
|
||||||
*/
|
*/
|
||||||
void insert_state(struct state *st)
|
void insert_state(struct state *st)
|
||||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
||||||
private_key = $dir/duckKey.pem # The private key
|
private_key = $dir/duckKey.pem # The private key
|
||||||
RANDFILE = $dir/.rand # private random number file
|
RANDFILE = $dir/.rand # private random number file
|
||||||
|
|
||||||
x509_extensions = host_ext # The extentions to add to the cert
|
x509_extensions = host_ext # The extensions to add to the cert
|
||||||
|
|
||||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||||
|
|
||||||
default_days = 1825 # how long to certify for
|
default_days = 1825 # how long to certify for
|
||||||
default_crl_days= 30 # how long before next CRL
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
@ -78,7 +78,7 @@ default_bits = 1024
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
||||||
private_key = $dir/strongswan_ecKey.pem # The private key
|
private_key = $dir/strongswan_ecKey.pem # The private key
|
||||||
RANDFILE = $dir/.rand # private random number file
|
RANDFILE = $dir/.rand # private random number file
|
||||||
|
|
||||||
x509_extensions = host_ext # The extentions to add to the cert
|
x509_extensions = host_ext # The extensions to add to the cert
|
||||||
|
|
||||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||||
|
|
||||||
default_days = 1825 # how long to certify for
|
default_days = 1825 # how long to certify for
|
||||||
default_crl_days= 30 # how long before next CRL
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
@ -79,7 +79,7 @@ default_bits = 1024
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
||||||
private_key = $dir/strongswanKey-monster.pem # The private key
|
private_key = $dir/strongswanKey-monster.pem # The private key
|
||||||
RANDFILE = $dir/.rand # private random number file
|
RANDFILE = $dir/.rand # private random number file
|
||||||
|
|
||||||
x509_extensions = host_ext # The extentions to add to the cert
|
x509_extensions = host_ext # The extensions to add to the cert
|
||||||
|
|
||||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||||
|
|
||||||
default_days = 10950 # how long to certify for
|
default_days = 10950 # how long to certify for
|
||||||
default_crl_days= 30 # how long before next CRL
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
@ -79,7 +79,7 @@ default_bits = 1024
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
||||||
private_key = $dir/strongswanKey.pem # The private key
|
private_key = $dir/strongswanKey.pem # The private key
|
||||||
RANDFILE = $dir/.rand # private random number file
|
RANDFILE = $dir/.rand # private random number file
|
||||||
|
|
||||||
x509_extensions = host_ext # The extentions to add to the cert
|
x509_extensions = host_ext # The extensions to add to the cert
|
||||||
|
|
||||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||||
|
|
||||||
default_days = 1825 # how long to certify for
|
default_days = 1825 # how long to certify for
|
||||||
default_crl_days= 30 # how long before next CRL
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
@ -79,7 +79,7 @@ default_bits = 1024
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
||||||
private_key = $dir/researchKey.pem # The private key
|
private_key = $dir/researchKey.pem # The private key
|
||||||
RANDFILE = $dir/.rand # private random number file
|
RANDFILE = $dir/.rand # private random number file
|
||||||
|
|
||||||
x509_extensions = host_ext # The extentions to add to the cert
|
x509_extensions = host_ext # The extensions to add to the cert
|
||||||
|
|
||||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||||
|
|
||||||
default_days = 1825 # how long to certify for
|
default_days = 1825 # how long to certify for
|
||||||
default_crl_days= 30 # how long before next CRL
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
@ -78,7 +78,7 @@ default_bits = 2048
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
||||||
private_key = $dir/strongswanKey.pem # The private key
|
private_key = $dir/strongswanKey.pem # The private key
|
||||||
RANDFILE = $dir/.rand # private random number file
|
RANDFILE = $dir/.rand # private random number file
|
||||||
|
|
||||||
x509_extensions = host_ext # The extentions to add to the cert
|
x509_extensions = host_ext # The extensions to add to the cert
|
||||||
|
|
||||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||||
|
|
||||||
default_days = 1825 # how long to certify for
|
default_days = 1825 # how long to certify for
|
||||||
default_crl_days= 30 # how long before next CRL
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
@ -79,7 +79,7 @@ default_bits = 1024
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
||||||
private_key = $dir/salesKey.pem # The private key
|
private_key = $dir/salesKey.pem # The private key
|
||||||
RANDFILE = $dir/.rand # private random number file
|
RANDFILE = $dir/.rand # private random number file
|
||||||
|
|
||||||
x509_extensions = host_ext # The extentions to add to the cert
|
x509_extensions = host_ext # The extensions to add to the cert
|
||||||
|
|
||||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||||
|
|
||||||
default_days = 1825 # how long to certify for
|
default_days = 1825 # how long to certify for
|
||||||
default_crl_days= 30 # how long before next CRL
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
@ -78,7 +78,7 @@ default_bits = 2048
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||||
in association with the <i>Authentication and Key Agreement</i> protocol
|
in association with the <i>Authentication and Key Agreement</i> protocol
|
||||||
(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
|
(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
|
||||||
in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
|
in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
|
||||||
Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
|
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
|
||||||
against <b>carol</b>.
|
against <b>carol</b>.
|
||||||
|
|
|
@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||||
in association with an <i>MD5</i> challenge and response protocol
|
in association with an <i>MD5</i> challenge and response protocol
|
||||||
(<b>EAP-MD5</b>) to authenticate against the gateway. The user password
|
(<b>EAP-MD5</b>) to authenticate against the gateway. The user password
|
||||||
is kept in <b>ipsec.secrets</b> on both gateway and client
|
is kept in <b>ipsec.secrets</b> on both gateway and client
|
||||||
Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
|
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
|
||||||
against <b>carol</b>.
|
against <b>carol</b>.
|
||||||
|
|
|
@ -4,5 +4,5 @@ in association with the <i>Microsoft CHAP version 2</i> protocol
|
||||||
(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
|
(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
|
||||||
e.g. by the Windows 7 Agile VPN client.
|
e.g. by the Windows 7 Agile VPN client.
|
||||||
In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
|
In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
|
||||||
uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionaly uses an <b>RSA signature</b>
|
uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionally uses an <b>RSA signature</b>
|
||||||
to authenticate itself against <b>carol</b>.
|
to authenticate itself against <b>carol</b>.
|
||||||
|
|
|
@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||||
in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
|
in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
|
||||||
to authenticate against the gateway. In this scenario triplets from the file
|
to authenticate against the gateway. In this scenario triplets from the file
|
||||||
<b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card.
|
<b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card.
|
||||||
Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate
|
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate
|
||||||
itself against <b>carol</b>.
|
itself against <b>carol</b>.
|
||||||
|
|
|
@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||||
in association with the <i>Authentication and Key Agreement</i> protocol
|
in association with the <i>Authentication and Key Agreement</i> protocol
|
||||||
(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
|
(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
|
||||||
in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
|
in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
|
||||||
Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
|
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
|
||||||
against <b>carol</b>.
|
against <b>carol</b>.
|
||||||
|
|
Loading…
Reference in New Issue