parent
20a44a5c66
commit
f3bb1bd039
2
HACKING
2
HACKING
|
@ -9,7 +9,7 @@ For interested developers, we have a public repository. To check out and
|
|||
compile the code, you need the following tools:
|
||||
|
||||
- Git
|
||||
- a recent GNU C complier (>= 3.x)
|
||||
- a recent GNU C compiler (>= 3.x)
|
||||
- automake
|
||||
- autoconf
|
||||
- libtool
|
||||
|
|
20
NEWS
20
NEWS
|
@ -520,7 +520,7 @@ strongswan-4.3.1
|
|||
CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
|
||||
a missing TSi or TSr payload caused a null pointer derefence because the
|
||||
checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
|
||||
developped by the Orange Labs vulnerability research team. The tool was
|
||||
developed by the Orange Labs vulnerability research team. The tool was
|
||||
initially written by Gabriel Campana and is now maintained by Laurent Butti.
|
||||
|
||||
- Added support for AES counter mode in ESP in IKEv2 using the proposal
|
||||
|
@ -560,7 +560,7 @@ strongswan-4.2.14
|
|||
-----------------
|
||||
|
||||
- The new server-side EAP RADIUS plugin (--enable-eap-radius)
|
||||
relays EAP messages to and from a RADIUS server. Succesfully
|
||||
relays EAP messages to and from a RADIUS server. Successfully
|
||||
tested with with a freeradius server using EAP-MD5 and EAP-SIM.
|
||||
|
||||
- A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
|
||||
|
@ -588,7 +588,7 @@ strongswan-4.2.13
|
|||
- Fixed a use-after-free bug in the DPD timeout section of the
|
||||
IKEv1 pluto daemon which sporadically caused a segfault.
|
||||
|
||||
- Fixed a crash in the IKEv2 charon daemon occuring with
|
||||
- Fixed a crash in the IKEv2 charon daemon occurring with
|
||||
mixed RAM-based and SQL-based virtual IP address pools.
|
||||
|
||||
- Fixed ASN.1 parsing of algorithmIdentifier objects where the
|
||||
|
@ -678,7 +678,7 @@ strongswan-4.2.9
|
|||
The installpolicy=no option allows peaceful cooperation with a dominant
|
||||
mip6d daemon and the new type=transport_proxy implements the special MIPv6
|
||||
IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
|
||||
but the IPsec SA is set up for the Home Adress.
|
||||
but the IPsec SA is set up for the Home Address.
|
||||
|
||||
- Implemented migration of Mobile IPv6 connections using the KMADDRESS
|
||||
field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon
|
||||
|
@ -841,7 +841,7 @@ strongswan-4.2.1
|
|||
connection setups over new ones, where the value "replace" replaces existing
|
||||
connections.
|
||||
|
||||
- The crypto factory in libstrongswan additionaly supports random number
|
||||
- The crypto factory in libstrongswan additionally supports random number
|
||||
generators, plugins may provide other sources of randomness. The default
|
||||
plugin reads raw random data from /dev/(u)random.
|
||||
|
||||
|
@ -1115,7 +1115,7 @@ strongswan-4.1.3
|
|||
is provided and more advanced backends (using e.g. a database) are trivial
|
||||
to implement.
|
||||
|
||||
- Fixed a compilation failure in libfreeswan occuring with Linux kernel
|
||||
- Fixed a compilation failure in libfreeswan occurring with Linux kernel
|
||||
headers > 2.6.17.
|
||||
|
||||
|
||||
|
@ -1426,7 +1426,7 @@ strongswan-2.7.0
|
|||
the successful setup and teardown of an IPsec SA, respectively.
|
||||
left|rightfirwall can be used with KLIPS under any Linux 2.4
|
||||
kernel or with NETKEY under a Linux kernel version >= 2.6.16
|
||||
in conjuction with iptables >= 1.3.5. For NETKEY under a Linux
|
||||
in conjunction with iptables >= 1.3.5. For NETKEY under a Linux
|
||||
kernel version < 2.6.16 which does not support IPsec policy
|
||||
matching yet, please continue to use a copy of the _updown_espmark
|
||||
template loaded via the left|rightupdown keyword.
|
||||
|
@ -1932,7 +1932,7 @@ strongswan-2.2.2
|
|||
and reduces the well-known four tunnel case on VPN gateways to
|
||||
a single tunnel definition (see README section 2.4).
|
||||
|
||||
- Fixed a bug occuring with NAT-Traversal enabled when the responder
|
||||
- Fixed a bug occurring with NAT-Traversal enabled when the responder
|
||||
suddenly turns initiator and the initiator cannot find a matching
|
||||
connection because of the floated IKE port 4500.
|
||||
|
||||
|
@ -1948,11 +1948,11 @@ strongswan-2.2.1
|
|||
- Introduced the ipsec auto --listalgs monitoring command which lists
|
||||
all currently registered IKE and ESP algorithms.
|
||||
|
||||
- Fixed a bug in the ESP algorithm selection occuring when the strict flag
|
||||
- Fixed a bug in the ESP algorithm selection occurring when the strict flag
|
||||
is set and the first proposed transform does not match.
|
||||
|
||||
- Fixed another deadlock in the use of the lock_certs_and_keys() mutex,
|
||||
occuring when a smartcard is present.
|
||||
occurring when a smartcard is present.
|
||||
|
||||
- Prevented that a superseded Phase1 state can trigger a DPD_TIMEOUT event.
|
||||
|
||||
|
|
6
README
6
README
|
@ -138,7 +138,7 @@ interoperability with the Check Point VPN-1 NG gateway.
|
|||
|
||||
In the following examples we assume for reasons of clarity that left designates
|
||||
the local host and that right is the remote host. Certificates for users, hosts
|
||||
and gateways are issued by a ficticious strongSwan CA. How to generate private keys
|
||||
and gateways are issued by a fictitious strongSwan CA. How to generate private keys
|
||||
and certificates using OpenSSL will be explained in section 3. The CA certificate
|
||||
"strongswanCert.pem" must be present on all VPN end points in order to be able to
|
||||
authenticate the peers.
|
||||
|
@ -1959,7 +1959,7 @@ and the returned result might be a decrypted 128 bit AES key
|
|||
000 8836362e030e6707c32ffaa0bdad5540
|
||||
|
||||
The leading three characters represent the return code of the whack channel
|
||||
with 000 signifying that no error has occured. Here is another example showing
|
||||
with 000 signifying that no error has occurred. Here is another example showing
|
||||
the use of the inbase and outbase attributes
|
||||
|
||||
ipsec scdecrypt m/ewDnTs0k...woE= --inbase base64 --outbase text
|
||||
|
@ -2195,7 +2195,7 @@ The command
|
|||
ipsec listpubkeys [--utc]
|
||||
|
||||
lists all public keys currently installed in the chained list of public
|
||||
keys. These keys were statically loaded from ipsec.conf or aquired either
|
||||
keys. These keys were statically loaded from ipsec.conf or acquired either
|
||||
from received certificates or retrieved from secure DNS servers using
|
||||
opportunistic mode.
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ new keying daemon, which is called #charon.
|
|||
Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
|
||||
Charon uses another socket interface, called stroke. Stroke uses another
|
||||
format as whack and therefore is not compatible to whack. The starter utility,
|
||||
wich does fast configuration parsing, speaks both the protocols, whack and
|
||||
which does fast configuration parsing, speaks both the protocols, whack and
|
||||
stroke. It also handles daemon startup and termination.
|
||||
Pluto uses starter for some commands, for other it uses the whack utility. To be
|
||||
as close to pluto as possible, charon has the same split up of commands to
|
||||
|
@ -47,7 +47,7 @@ Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
|
|||
500. Under Linux, there is no clean way to set up two sockets at the same port.
|
||||
To reslove this problem, charon uses a RAW socket, as they are used in network
|
||||
sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
|
||||
traffic. Pluto receives any IKE message, independant of charons behavior.
|
||||
traffic. Pluto receives any IKE message, independent of charons behavior.
|
||||
Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
|
||||
|
||||
To gain some reusability of the code, generic crypto and utility functions are
|
||||
|
|
|
@ -298,7 +298,7 @@ and
|
|||
.B rightsubnet
|
||||
, a connection is established.
|
||||
.B start
|
||||
loads a connection and brings it up immediatly.
|
||||
loads a connection and brings it up immediately.
|
||||
.B ignore
|
||||
ignores the connection. This is equal to delete a connection from the config
|
||||
file.
|
||||
|
@ -1172,7 +1172,7 @@ so a new (automatically-keyed) connection using the same ID is
|
|||
almost invariably intended to replace an old one.
|
||||
The IKEv2 daemon also accepts the value
|
||||
.B replace
|
||||
wich is identical to
|
||||
which is identical to
|
||||
.B yes
|
||||
and the value
|
||||
.B keep
|
||||
|
|
|
@ -110,11 +110,11 @@ binary-common:
|
|||
dh_gencontrol
|
||||
dh_md5sums
|
||||
dh_builddeb
|
||||
# Build architecture independant packages using the common target.
|
||||
# Build architecture independent packages using the common target.
|
||||
binary-indep: build-indep install
|
||||
$(MAKE) -f debian/rules DH_OPTIONS=-i binary-common
|
||||
|
||||
# Build architecture dependant packages using the common target.
|
||||
# Build architecture dependent packages using the common target.
|
||||
binary-arch: build-arch install
|
||||
$(MAKE) -f debian/rules DH_OPTIONS=-s binary-common
|
||||
|
||||
|
|
|
@ -130,11 +130,11 @@ binary-common:
|
|||
dh_md5sums
|
||||
dh_builddeb
|
||||
|
||||
# Build architecture independant packages using the common target.
|
||||
# Build architecture independent packages using the common target.
|
||||
binary-indep: build-indep install
|
||||
$(MAKE) -f debian/rules DH_OPTIONS=-i binary-common
|
||||
|
||||
# Build architecture dependant packages using the common target.
|
||||
# Build architecture dependent packages using the common target.
|
||||
binary-arch: build-arch install
|
||||
$(MAKE) -f debian/rules DH_OPTIONS=-s binary-common
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@ Depends: strongswan-nm, strongswan-eap-gtc, strongswan-eap-md5, strongswan-eap-m
|
|||
Description: network management framework (strongSwan plugin)
|
||||
NetworkManager attempts to keep an active network connection available at
|
||||
all times. It is intended primarily for laptops where it allows easy
|
||||
switching betwen local wireless networks, it's also useful on desktops
|
||||
switching between local wireless networks, it's also useful on desktops
|
||||
with a selection of different interfaces to use. It is not intended for
|
||||
usage on servers.
|
||||
.
|
||||
|
|
|
@ -89,7 +89,7 @@ msgstr ""
|
|||
#: ../properties/nm-strongswan-dialog.glade.h:12
|
||||
msgid ""
|
||||
"IPComp compresses raw IP packets before they get encrypted. This saves some "
|
||||
"bandwith, but uses more processing power."
|
||||
"bandwidth, but uses more processing power."
|
||||
msgstr ""
|
||||
"IPComp komprimiert IP-Pakete, bevor sie verschlüsselt werden. Diese Option "
|
||||
"kann Bandbreite sparen, benötigt jedoch zusätzliche Rechenleistung."
|
||||
|
|
|
@ -319,7 +319,7 @@
|
|||
<property name="can_focus">True</property>
|
||||
<property name="receives_default">False</property>
|
||||
<property name="has_tooltip">True</property>
|
||||
<property name="tooltip" translatable="yes">IPComp compresses raw IP packets before they get encrypted. This saves some bandwith, but uses more processing power.</property>
|
||||
<property name="tooltip" translatable="yes">IPComp compresses raw IP packets before they get encrypted. This saves some bandwidth, but uses more processing power.</property>
|
||||
<property name="use_underline">True</property>
|
||||
<property name="draw_indicator">True</property>
|
||||
</widget>
|
||||
|
|
|
@ -47,7 +47,7 @@ struct udp_sock {
|
|||
unsigned int corkflag; /* Cork is required */
|
||||
__u16 encap_type; /* Is this an Encapsulation socket? */
|
||||
/*
|
||||
* Following member retains the infomation to create a UDP header
|
||||
* Following member retains the information to create a UDP header
|
||||
* when the socket is uncorked.
|
||||
*/
|
||||
__u16 len; /* total length of pending frames */
|
||||
|
|
|
@ -177,7 +177,7 @@ struct bus_t {
|
|||
/**
|
||||
* Send a log message to the bus.
|
||||
*
|
||||
* The signal specifies the type of the event occured. The format string
|
||||
* The signal specifies the type of the event occurred. The format string
|
||||
* specifies an additional informational or error message with a
|
||||
* printf() like variable argument list.
|
||||
* Use the DBG() macros.
|
||||
|
|
|
@ -84,7 +84,7 @@ struct listener_t {
|
|||
/**
|
||||
* Hook called for received/sent messages of an IKE_SA.
|
||||
*
|
||||
* @param ike_sa IKE_SA sending/receving a message
|
||||
* @param ike_sa IKE_SA sending/receiving a message
|
||||
* @param message message object
|
||||
* @param incoming TRUE for incoming messages, FALSE for outgoing
|
||||
* @return TRUE to stay registered, FALSE to unregister
|
||||
|
|
|
@ -73,7 +73,7 @@ struct child_cfg_t {
|
|||
* Add a proposal to the list.
|
||||
*
|
||||
* The proposals are stored by priority, first added
|
||||
* is the most prefered.
|
||||
* is the most preferred.
|
||||
* After add, proposal is owned by child_cfg.
|
||||
*
|
||||
* @param proposal proposal to add
|
||||
|
@ -95,7 +95,7 @@ struct child_cfg_t {
|
|||
*
|
||||
* Returned propsal is newly created and must be destroyed after usage.
|
||||
*
|
||||
* @param proposals list from from wich proposals are selected
|
||||
* @param proposals list from which proposals are selected
|
||||
* @param strip_dh TRUE strip out diffie hellman groups
|
||||
* @param private accept algorithms from a private range
|
||||
* @return selected proposal, or NULL if nothing matches
|
||||
|
|
|
@ -110,7 +110,7 @@ struct private_peer_cfg_t {
|
|||
u_int32_t reauth_time;
|
||||
|
||||
/**
|
||||
* Time, which specifies the range of a random value substracted from above.
|
||||
* Time, which specifies the range of a random value subtracted from above.
|
||||
*/
|
||||
u_int32_t jitter_time;
|
||||
|
||||
|
|
|
@ -110,7 +110,7 @@ extern enum_name_t *unique_policy_names;
|
|||
* peer. Each config is enforced using the multiple authentication extension
|
||||
* (RFC4739).
|
||||
* The remote authentication configs are handled as constraints. The peer has
|
||||
* to fullfill each of these rules (using multiple authentication, in any order)
|
||||
* to fulfill each of these rules (using multiple authentication, in any order)
|
||||
* to gain access to the configuration.
|
||||
*/
|
||||
struct peer_cfg_t {
|
||||
|
@ -328,14 +328,14 @@ struct peer_cfg_t {
|
|||
* (rekeylifetime - random(0, jitter)).
|
||||
*
|
||||
* @param name name of the peer_cfg
|
||||
* @param ike_version which IKE version we sould use for this peer
|
||||
* @param ike_version which IKE version we should use for this peer
|
||||
* @param ike_cfg IKE config to use when acting as initiator
|
||||
* @param cert_policy should we send a certificate payload?
|
||||
* @param unique uniqueness of an IKE_SA
|
||||
* @param keyingtries how many keying tries should be done before giving up
|
||||
* @param rekey_time timeout before starting rekeying
|
||||
* @param reauth_time timeout before starting reauthentication
|
||||
* @param jitter_time timerange to randomly substract from rekey/reauth time
|
||||
* @param jitter_time timerange to randomly subtract from rekey/reauth time
|
||||
* @param over_time maximum overtime before closing a rekeying/reauth SA
|
||||
* @param mobike use MOBIKE (RFC4555) if peer supports it
|
||||
* @param dpd DPD check interval, 0 to disable
|
||||
|
|
|
@ -120,7 +120,7 @@ struct proposal_t {
|
|||
* compared. If they have at least one algorithm of each type
|
||||
* in common, a resulting proposal of this kind is created.
|
||||
*
|
||||
* @param other proposal to compair agains
|
||||
* @param other proposal to compare against
|
||||
* @param private accepts algorithms allocated in a private range
|
||||
* @return selected proposal, NULL if proposals don't match
|
||||
*/
|
||||
|
|
|
@ -334,7 +334,7 @@ METHOD(controller_t, terminate_ike, status_t,
|
|||
else
|
||||
{
|
||||
charon->bus->listen(charon->bus, &job.listener.public, &job.public);
|
||||
/* checkin of the ike_sa happend in the thread that executed the job */
|
||||
/* checkin of the ike_sa happened in the thread that executed the job */
|
||||
charon->bus->set_sa(charon->bus, NULL);
|
||||
}
|
||||
return job.listener.status;
|
||||
|
@ -425,7 +425,7 @@ METHOD(controller_t, terminate_child, status_t,
|
|||
else
|
||||
{
|
||||
charon->bus->listen(charon->bus, &job.listener.public, &job.public);
|
||||
/* checkin of the ike_sa happend in the thread that executed the job */
|
||||
/* checkin of the ike_sa happened in the thread that executed the job */
|
||||
charon->bus->set_sa(charon->bus, NULL);
|
||||
}
|
||||
return job.listener.status;
|
||||
|
|
|
@ -63,13 +63,13 @@
|
|||
typedef struct {
|
||||
/* Payload type */
|
||||
payload_type_t type;
|
||||
/* Minimal occurence of this payload. */
|
||||
/* Minimal occurrence of this payload. */
|
||||
size_t min_occurence;
|
||||
/* Max occurence of this payload. */
|
||||
/* Max occurrence of this payload. */
|
||||
size_t max_occurence;
|
||||
/* TRUE if payload must be encrypted */
|
||||
bool encrypted;
|
||||
/* If payload occurs, the message rule is fullfilled */
|
||||
/* If payload occurs, the message rule is fulfilled */
|
||||
bool sufficient;
|
||||
} payload_rule_t;
|
||||
|
||||
|
@ -1405,7 +1405,7 @@ static status_t verify(private_message_t *this)
|
|||
if (found > rule->max_occurence)
|
||||
{
|
||||
DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
|
||||
"occured in current message", payload_type_names,
|
||||
"occurred in current message", payload_type_names,
|
||||
type, rule->max_occurence, found);
|
||||
enumerator->destroy(enumerator);
|
||||
return VERIFY_ERROR;
|
||||
|
@ -1416,7 +1416,7 @@ static status_t verify(private_message_t *this)
|
|||
|
||||
if (!complete && found < rule->min_occurence)
|
||||
{
|
||||
DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
|
||||
DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
|
||||
payload_type_names, rule->type, rule->min_occurence, found);
|
||||
return VERIFY_ERROR;
|
||||
}
|
||||
|
|
|
@ -321,7 +321,7 @@ struct message_t {
|
|||
/**
|
||||
* Find a payload of a specific type.
|
||||
*
|
||||
* Returns the first occurance.
|
||||
* Returns the first occurrence.
|
||||
*
|
||||
* @param type type of the payload to find
|
||||
* @return payload, or NULL if no such payload found
|
||||
|
|
|
@ -142,7 +142,7 @@ METHOD(payload_t, set_next_type, void,
|
|||
}
|
||||
|
||||
/**
|
||||
* Compute the lenght of the whole payload
|
||||
* Compute the length of the whole payload
|
||||
*/
|
||||
static void compute_length(private_encryption_payload_t *this)
|
||||
{
|
||||
|
|
|
@ -407,7 +407,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(
|
|||
|
||||
this = (private_proposal_substructure_t*)proposal_substructure_create();
|
||||
|
||||
/* encryption algorithm is only availble in ESP */
|
||||
/* encryption algorithm is only available in ESP */
|
||||
enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
|
||||
while (enumerator->enumerate(enumerator, &alg, &key_size))
|
||||
{
|
||||
|
|
|
@ -84,7 +84,7 @@ encoding_rule_t transform_substructure_encodings[] = {
|
|||
{ U_INT_8, offsetof(private_transform_substructure_t, transform_type) },
|
||||
/* 1 Reserved Byte */
|
||||
{ RESERVED_BYTE, offsetof(private_transform_substructure_t, reserved[1]) },
|
||||
/* tranform ID is a number of 8 bit */
|
||||
/* transform ID is a number of 8 bit */
|
||||
{ U_INT_16, offsetof(private_transform_substructure_t, transform_id) },
|
||||
/* Attributes are stored in a transform attribute,
|
||||
offset points to a linked_list_t pointer */
|
||||
|
|
|
@ -118,7 +118,7 @@ transform_substructure_t *transform_substructure_create(void);
|
|||
*
|
||||
* @param type type of transform to create
|
||||
* @param id transform id specifc for the transform type
|
||||
* @param key_length key length for key lenght attribute, 0 to omit
|
||||
* @param key_length key length for key length attribute, 0 to omit
|
||||
* @return transform_substructure_t object
|
||||
*/
|
||||
transform_substructure_t *transform_substructure_create_type(
|
||||
|
|
|
@ -30,7 +30,7 @@ typedef struct receiver_t receiver_t;
|
|||
/**
|
||||
* Receives packets from the socket and adds them to the job queue.
|
||||
*
|
||||
* The receiver starts a thread, wich reads on the blocking socket. A received
|
||||
* The receiver starts a thread, which reads on the blocking socket. A received
|
||||
* packet is preparsed and a process_message_job is queued in the job queue.
|
||||
*
|
||||
* To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
|
||||
|
@ -38,7 +38,7 @@ typedef struct receiver_t receiver_t;
|
|||
* method in RFC4306. We do not include a nonce, because we think the advantage
|
||||
* we gain does not justify the overhead to parse the whole message.
|
||||
* Instead of VersionIdOfSecret, we include a timestamp. This allows us to
|
||||
* find out wich key was used for cookie creation. Further, we can set a
|
||||
* find out which key was used for cookie creation. Further, we can set a
|
||||
* lifetime for the cookie, which allows us to reuse the secret for a longer
|
||||
* time.
|
||||
* COOKIE = time | sha1( IPi | SPIi | time | secret )
|
||||
|
|
|
@ -52,7 +52,7 @@ METHOD(listener_t, log_, bool,
|
|||
snprintf(sgroup, sizeof(sgroup), "%N", debug_names, group);
|
||||
vsnprintf(buffer, sizeof(buffer), format, args);
|
||||
while (current)
|
||||
{ /* log each line seperately */
|
||||
{ /* log each line separately */
|
||||
next = strchr(current, '\n');
|
||||
if (next)
|
||||
{
|
||||
|
|
|
@ -68,7 +68,7 @@ struct private_load_tester_plugin_t {
|
|||
int initiators;
|
||||
|
||||
/**
|
||||
* currenly running initiators
|
||||
* currently running initiators
|
||||
*/
|
||||
int running;
|
||||
|
||||
|
|
|
@ -345,7 +345,7 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
|
|||
}
|
||||
|
||||
/**
|
||||
* schedule initation of all "active" connections
|
||||
* schedule initiation of all "active" connections
|
||||
*/
|
||||
static void schedule_autoinit(private_medcli_config_t *this)
|
||||
{
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<!-- strongSwan Managment Protocol (SMP) V1.0 -->
|
||||
<!-- strongSwan Management Protocol (SMP) V1.0 -->
|
||||
|
||||
<!--
|
||||
Copyright (C) 2007 Martin Willi
|
||||
|
|
|
@ -871,7 +871,7 @@ METHOD(ike_sa_t, update_hosts, void,
|
|||
|
||||
if (!other->equals(other, this->other_host))
|
||||
{
|
||||
/* update others adress if we are NOT NATed */
|
||||
/* update others address if we are NOT NATed */
|
||||
if (force || !has_condition(this, COND_NAT_HERE))
|
||||
{
|
||||
set_other_host(this, other->clone(other));
|
||||
|
|
|
@ -689,7 +689,7 @@ struct ike_sa_t {
|
|||
*
|
||||
* Message processing may fail. If a critical failure occurs,
|
||||
* process_message() return DESTROY_ME. Then the caller must
|
||||
* destroy the IKE_SA immediatly, as it is unusable.
|
||||
* destroy the IKE_SA immediately, as it is unusable.
|
||||
*
|
||||
* @param message message to process
|
||||
* @return
|
||||
|
|
|
@ -30,7 +30,7 @@ typedef struct ike_sa_id_t ike_sa_id_t;
|
|||
* An object of type ike_sa_id_t is used to identify an IKE_SA.
|
||||
*
|
||||
* An IKE_SA is identified by its initiator and responder spi's.
|
||||
* Additionaly it contains the role of the actual running IKEv2-Daemon
|
||||
* Additionally it contains the role of the actual running IKEv2-Daemon
|
||||
* for the specific IKE_SA (original initiator or responder).
|
||||
*/
|
||||
struct ike_sa_id_t {
|
||||
|
|
|
@ -317,7 +317,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
|
|||
if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
|
||||
{
|
||||
/* establishing new child failed, reuse old. but not when we
|
||||
* recieved a delete in the meantime */
|
||||
* received a delete in the meantime */
|
||||
if (!(this->collision &&
|
||||
this->collision->get_type(this->collision) == CHILD_DELETE))
|
||||
{
|
||||
|
|
|
@ -353,7 +353,7 @@ static status_t build_r(private_ike_natd_t *this, message_t *message)
|
|||
notify_payload_t *notify;
|
||||
host_t *me, *other;
|
||||
|
||||
/* only add notifies on successfull responses. */
|
||||
/* only add notifies on successful responses. */
|
||||
if (message->get_exchange_type(message) == IKE_SA_INIT &&
|
||||
message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
|
||||
{
|
||||
|
|
|
@ -89,7 +89,7 @@ extern enum_name_t *task_type_names;
|
|||
* A responder does the opposite; it calls process() first to handle an incoming
|
||||
* request and secondly calls build() to build an appropriate response.
|
||||
* Both methods return either SUCCESS, NEED_MORE or FAILED. A SUCCESS indicates
|
||||
* that the task completed, even when the task completed unsuccesfully. The
|
||||
* that the task completed, even when the task completed unsuccessfully. The
|
||||
* manager then removes the task from the list. A NEED_MORE is returned when
|
||||
* the task needs further build()/process() calls to complete, the manager
|
||||
* leaves the taks in the queue. A returned FAILED indicates a critical failure.
|
||||
|
@ -102,7 +102,7 @@ struct task_t {
|
|||
*
|
||||
* @param message message to add payloads to
|
||||
* @return
|
||||
* - FAILED if a critical error occured
|
||||
* - FAILED if a critical error occurred
|
||||
* - DESTROY_ME if IKE_SA has been properly deleted
|
||||
* - NEED_MORE if another call to build/process needed
|
||||
* - SUCCESS if task completed
|
||||
|
@ -114,7 +114,7 @@ struct task_t {
|
|||
*
|
||||
* @param message message to read payloads from
|
||||
* @return
|
||||
* - FAILED if a critical error occured
|
||||
* - FAILED if a critical error occurred
|
||||
* - DESTROY_ME if IKE_SA has been properly deleted
|
||||
* - NEED_MORE if another call to build/process needed
|
||||
* - SUCCESS if task completed
|
||||
|
|
|
@ -84,7 +84,7 @@ struct kernel_listener_t {
|
|||
policy_dir_t direction, host_t *local, host_t *remote);
|
||||
|
||||
/**
|
||||
* Hook called if changes in the networking layer occured (interfaces
|
||||
* Hook called if changes in the networking layer occurred (interfaces
|
||||
* up/down, routes added/deleted etc.).
|
||||
*
|
||||
* @param address TRUE if address list, FALSE if routing changed
|
||||
|
|
|
@ -2507,7 +2507,7 @@ static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
|
|||
}
|
||||
|
||||
/**
|
||||
* Register a socket for AQUIRE/EXPIRE messages
|
||||
* Register a socket for ACQUIRE/EXPIRE messages
|
||||
*/
|
||||
static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype)
|
||||
{
|
||||
|
|
|
@ -2327,7 +2327,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
|
|||
}
|
||||
|
||||
/**
|
||||
* Register a socket for AQUIRE/EXPIRE messages
|
||||
* Register a socket for ACQUIRE/EXPIRE messages
|
||||
*/
|
||||
static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
|
||||
u_int8_t satype)
|
||||
|
|
|
@ -57,7 +57,7 @@ chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk)
|
|||
}
|
||||
|
||||
/**
|
||||
* Decribed in header.
|
||||
* Described in header.
|
||||
*/
|
||||
size_t chunk_length(const char* mode, ...)
|
||||
{
|
||||
|
@ -87,7 +87,7 @@ size_t chunk_length(const char* mode, ...)
|
|||
}
|
||||
|
||||
/**
|
||||
* Decribed in header.
|
||||
* Described in header.
|
||||
*/
|
||||
chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
|
||||
{
|
||||
|
@ -133,7 +133,7 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
|
|||
}
|
||||
|
||||
/**
|
||||
* Decribed in header.
|
||||
* Described in header.
|
||||
*/
|
||||
void chunk_split(chunk_t chunk, const char *mode, ...)
|
||||
{
|
||||
|
|
|
@ -254,7 +254,7 @@ static inline bool chunk_equals(chunk_t a, chunk_t b)
|
|||
* Increment a chunk, as it would reprensent a network order integer.
|
||||
*
|
||||
* @param chunk chunk to increment
|
||||
* @return TRUE if an overflow occured
|
||||
* @return TRUE if an overflow occurred
|
||||
*/
|
||||
bool chunk_increment(chunk_t chunk);
|
||||
|
||||
|
|
|
@ -31,7 +31,7 @@ typedef enum auth_class_t auth_class_t;
|
|||
/**
|
||||
* Class of authentication to use. This is different to auth_method_t in that
|
||||
* it does not specify a method, but a class of acceptable methods. The found
|
||||
* certificate finally dictates wich method is used.
|
||||
* certificate finally dictates which method is used.
|
||||
*/
|
||||
enum auth_class_t {
|
||||
/** any class acceptable */
|
||||
|
@ -57,7 +57,7 @@ extern enum_name_t *auth_class_names;
|
|||
* - For configs specifying local authentication behavior, the rules define
|
||||
* which authentication method in which way.
|
||||
* - For configs specifying remote peer authentication, the rules define
|
||||
* constraints the peer has to fullfill.
|
||||
* constraints the peer has to fulfill.
|
||||
*
|
||||
* Additionally to the rules, there is a set of helper items. These are used
|
||||
* to transport credentials during the authentication process.
|
||||
|
|
|
@ -176,7 +176,7 @@ struct certificate_t {
|
|||
/**
|
||||
* Check if two certificates are equal.
|
||||
*
|
||||
* @param other certificate to compair against this
|
||||
* @param other certificate to compare against this
|
||||
* @return TRUE if certificates are equal
|
||||
*/
|
||||
bool (*equals)(certificate_t *this, certificate_t *other);
|
||||
|
|
|
@ -111,7 +111,7 @@ struct aead_t {
|
|||
* Create a aead instance using traditional transforms.
|
||||
*
|
||||
* @param crypter encryption transform for this aead
|
||||
* @param signer integrity tranform for this aead
|
||||
* @param signer integrity transform for this aead
|
||||
* @return aead transform
|
||||
*/
|
||||
aead_t *aead_create(crypter_t *crypter, signer_t *signer);
|
||||
|
|
|
@ -37,7 +37,7 @@ SUCH DAMAGE.
|
|||
|
||||
The license and distribution terms for any publically available version or
|
||||
derivative of this code cannot be changed. i.e. this code cannot simply be
|
||||
copied and put under another distrubution license
|
||||
copied and put under another distribution license
|
||||
[including the GNU Public License.]
|
||||
|
||||
The reason behind this being stated in this direct manner is past
|
||||
|
|
|
@ -67,7 +67,7 @@ typedef struct __attribute__((packed)) {
|
|||
u_char salt[SALT_SIZE];
|
||||
u_char iv[IV_SIZE];
|
||||
} nonce;
|
||||
/* lenght of plain text, q */
|
||||
/* length of plain text, q */
|
||||
u_char q[Q_SIZE];
|
||||
} b0_t;
|
||||
|
||||
|
|
|
@ -80,7 +80,7 @@ struct private_des_crypter_t {
|
|||
des_crypter_t public;
|
||||
|
||||
/**
|
||||
* Key size, depends on algoritm...
|
||||
* Key size, depends on algorithm...
|
||||
*/
|
||||
size_t key_size;
|
||||
|
||||
|
@ -127,7 +127,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
|
|||
#endif
|
||||
|
||||
/* Unroll the inner loop, this sometimes helps, sometimes hinders.
|
||||
* Very mucy CPU dependant */
|
||||
* Very much CPU dependent */
|
||||
#ifndef DES_UNROLL
|
||||
#define DES_UNROLL
|
||||
#endif
|
||||
|
@ -316,7 +316,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
|
|||
* bytes, probably an issue of accessing non-word aligned objects :-( */
|
||||
#ifdef DES_PTR
|
||||
|
||||
/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there
|
||||
/* It recently occurred to me that 0^0^0^0^0^0^0 == 0, so there
|
||||
* is no reason to not xor all the sub items together. This potentially
|
||||
* saves a register since things can be xored directly into L */
|
||||
|
||||
|
|
|
@ -68,7 +68,7 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key)
|
|||
if (key)
|
||||
{
|
||||
/* gcrypt might return more bytes than necessary. Truncate
|
||||
* to key lenght if key given, or prepend zeros if needed */
|
||||
* to key length if key given, or prepend zeros if needed */
|
||||
len = gcry_pk_get_nbits(key);
|
||||
len = len / 8 + (len % 8 ? 1 : 0);
|
||||
if (len > data.len)
|
||||
|
|
|
@ -30,7 +30,7 @@ typedef struct hmac_t hmac_t;
|
|||
* Message authentication using hash functions.
|
||||
*
|
||||
* This class implements the message authenticaion algorithm
|
||||
* described in RFC2104. It uses a hash function, wich must
|
||||
* described in RFC2104. It uses a hash function, which must
|
||||
* be implemented as a hasher_t class.
|
||||
*/
|
||||
struct hmac_t {
|
||||
|
|
|
@ -495,7 +495,7 @@ typedef struct {
|
|||
CK_SESSION_HANDLE session;
|
||||
/* pkcs11 library */
|
||||
pkcs11_library_t *lib;
|
||||
/* attributes to retreive */
|
||||
/* attributes to retrieve */
|
||||
CK_ATTRIBUTE_PTR attr;
|
||||
/* number of attributes */
|
||||
CK_ULONG count;
|
||||
|
|
|
@ -32,7 +32,7 @@ typedef struct pkcs11_manager_t pkcs11_manager_t;
|
|||
*
|
||||
* @param data user supplied data, as passed to pkcs11_manager_create()
|
||||
* @param p11 loaded PKCS#11 library token belongs to
|
||||
* @param slot slot number the event occured in
|
||||
* @param slot slot number the event occurred in
|
||||
* @param add TRUE if token was added to the slot, FALSE if removed
|
||||
*/
|
||||
typedef void (*pkcs11_manager_token_event_t)(void *data, pkcs11_library_t *p11,
|
||||
|
|
|
@ -52,7 +52,7 @@ struct plugin_t {
|
|||
|
||||
|
||||
/**
|
||||
* Plugin constructor function definiton.
|
||||
* Plugin constructor function definition.
|
||||
*
|
||||
* Each plugin has a constructor function. This function is called on daemon
|
||||
* startup to initialize each plugin.
|
||||
|
|
|
@ -62,7 +62,7 @@ struct private_callback_job_t {
|
|||
mutex_t *mutex;
|
||||
|
||||
/**
|
||||
* list of asociated child jobs
|
||||
* list of associated child jobs
|
||||
*/
|
||||
linked_list_t *children;
|
||||
|
||||
|
|
|
@ -35,7 +35,7 @@ typedef struct scheduler_t scheduler_t;
|
|||
* based data structure that satisfies the following property: if B is a child
|
||||
* node of A, then key(A) >= (or <=) key(B). So either the element with the
|
||||
* greatest (max-heap) or the smallest (min-heap) key is the root of the heap.
|
||||
* We use a min-heap whith the key being the absolute unix time at which an
|
||||
* We use a min-heap with the key being the absolute unix time at which an
|
||||
* event is scheduled. So the root is always the event that will fire next.
|
||||
*
|
||||
* An earlier implementation of the scheduler used a sorted linked list to store
|
||||
|
|
|
@ -110,7 +110,7 @@ u_int32_t settings_value_as_time(char *value, u_int32_t def);
|
|||
* already existing values are replaced.
|
||||
*
|
||||
* All settings included from files are added relative to the section the
|
||||
* include statment is in.
|
||||
* include statement is in.
|
||||
*
|
||||
* The following files result in the same final config as above:
|
||||
*
|
||||
|
|
|
@ -36,7 +36,7 @@ struct enumerator_t {
|
|||
* The enumerate function takes a variable argument list containing
|
||||
* pointers where the enumerated values get written.
|
||||
*
|
||||
* @param ... variable list of enumerated items, implementation dependant
|
||||
* @param ... variable list of enumerated items, implementation dependent
|
||||
* @return TRUE if pointers returned
|
||||
*/
|
||||
bool (*enumerate)(enumerator_t *this, ...);
|
||||
|
|
|
@ -40,7 +40,7 @@ struct private_host_t {
|
|||
host_t public;
|
||||
|
||||
/**
|
||||
* low-lewel structure, wich stores the address
|
||||
* low-lewel structure, which stores the address
|
||||
*/
|
||||
union {
|
||||
/** generic type */
|
||||
|
|
|
@ -293,7 +293,7 @@ struct identification_t {
|
|||
*
|
||||
* In favour of pluto, domainnames are prepended with an @, since
|
||||
* pluto resolves domainnames without an @ to IPv4 addresses. Since
|
||||
* we use a seperate host_t class for addresses, this doesn't
|
||||
* we use a separate host_t class for addresses, this doesn't
|
||||
* make sense for us.
|
||||
*
|
||||
* A distinguished name may contain one or more of the following RDNs:
|
||||
|
|
|
@ -98,7 +98,7 @@ struct tls_alert_t {
|
|||
/**
|
||||
* Did a fatal alert occur?.
|
||||
*
|
||||
* @return TRUE if a fatal alert has occured
|
||||
* @return TRUE if a fatal alert has occurred
|
||||
*/
|
||||
bool (*fatal)(tls_alert_t *this);
|
||||
|
||||
|
|
|
@ -603,7 +603,7 @@ static suite_algs_t suite_algs[] = {
|
|||
};
|
||||
|
||||
/**
|
||||
* Look up algoritms by a suite
|
||||
* Look up algorithms by a suite
|
||||
*/
|
||||
static suite_algs_t *find_suite(tls_cipher_suite_t suite)
|
||||
{
|
||||
|
|
|
@ -242,7 +242,7 @@ METHOD(tls_fragmentation_t, process, status_t,
|
|||
{
|
||||
case ALERT_SENDING:
|
||||
case ALERT_SENT:
|
||||
/* don't accept more input, fatal error ocurred */
|
||||
/* don't accept more input, fatal error occurred */
|
||||
return NEED_MORE;
|
||||
case ALERT_NONE:
|
||||
break;
|
||||
|
|
|
@ -112,7 +112,7 @@ METHOD(tls_protection_t, process, status_t,
|
|||
private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
|
||||
{
|
||||
if (this->alert->fatal(this->alert))
|
||||
{ /* don't accept more input, fatal error ocurred */
|
||||
{ /* don't accept more input, fatal error occurred */
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
|
|
|
@ -2110,7 +2110,7 @@ var jsc = (new Date).getTime();
|
|||
|
||||
jQuery.extend({
|
||||
get: function( url, data, callback, type ) {
|
||||
// shift arguments if data argument was ommited
|
||||
// shift arguments if data argument was omitted
|
||||
if ( jQuery.isFunction( data ) ) {
|
||||
callback = data;
|
||||
data = null;
|
||||
|
|
|
@ -44,7 +44,7 @@ struct private_user_controller_t {
|
|||
user_t *user;
|
||||
|
||||
/**
|
||||
* minimum required password lenght
|
||||
* minimum required password length
|
||||
*/
|
||||
u_int password_length;
|
||||
};
|
||||
|
|
|
@ -658,7 +658,7 @@ extern const char *prettypolicy(lset_t policy);
|
|||
#define POLICY_COMPRESS LELEM(4) /* must be third */
|
||||
#define POLICY_TUNNEL LELEM(5)
|
||||
#define POLICY_PFS LELEM(6)
|
||||
#define POLICY_DISABLEARRIVALCHECK LELEM(7) /* supress tunnel egress address checking */
|
||||
#define POLICY_DISABLEARRIVALCHECK LELEM(7) /* suppress tunnel egress address checking */
|
||||
|
||||
#define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */
|
||||
#define POLICY_IPSEC_MASK LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
|
||||
|
|
|
@ -544,7 +544,7 @@ init_demux(void)
|
|||
* - ip(7) describes IP_RECVERR
|
||||
* - recvmsg(2) describes MSG_ERRQUEUE
|
||||
* - readv(2) describes iovec
|
||||
* - cmsg(3) describes how to process auxilliary messages
|
||||
* - cmsg(3) describes how to process auxiliary messages
|
||||
*
|
||||
* ??? we should link this message with one we've sent
|
||||
* so that the diagnostic can refer to that negotiation.
|
||||
|
@ -1580,7 +1580,7 @@ process_packet(struct msg_digest **mdp)
|
|||
|
||||
/*
|
||||
* okay, now we have to figure out if we are receiving a bogus
|
||||
* new message in an oustanding XAUTH server conversation
|
||||
* new message in an outstanding XAUTH server conversation
|
||||
* (i.e. a reply to our challenge)
|
||||
* (this occurs with some broken other implementations).
|
||||
*
|
||||
|
|
|
@ -205,7 +205,7 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
|
|||
|
||||
/*
|
||||
* key_len passed comes from esp_attrs read from peer
|
||||
* For many older algoritms (eg 3DES) this key_len is fixed
|
||||
* For many older algorithms (eg 3DES) this key_len is fixed
|
||||
* and get passed as 0.
|
||||
* ... then get default key_len
|
||||
*/
|
||||
|
|
|
@ -22,7 +22,7 @@ struct file_lex_position
|
|||
int lino; /* line number in file */
|
||||
char buffer[MAX_TOK_LEN + 1]; /* note: one extra char for our use (jamming '"') */
|
||||
char *cur; /* cursor */
|
||||
char under; /* except in shift(): character orignally at *cur */
|
||||
char under; /* except in shift(): character originally at *cur */
|
||||
struct file_lex_position *previous;
|
||||
};
|
||||
|
||||
|
|
|
@ -232,7 +232,7 @@ void nat_traversal_natd_lookup(struct msg_digest *md)
|
|||
if (i < 2)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS,
|
||||
"NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negociation", i);
|
||||
"NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negotiation", i);
|
||||
st->nat_traversal = 0;
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -1437,7 +1437,7 @@ Phase 1.
|
|||
\fBPluto\fP responds to \fBSIGHUP\fP by issuing a suggestion that ``\fBwhack\fP
|
||||
\-\-listen'' might have been intended.
|
||||
.LP
|
||||
\fBPluto\fP exits when it recieves \fBSIGTERM\fP.
|
||||
\fBPluto\fP exits when it receives \fBSIGTERM\fP.
|
||||
.SH EXIT STATUS
|
||||
.LP
|
||||
\fBpluto\fP normally forks a daemon process, so the exit status is
|
||||
|
@ -1558,7 +1558,7 @@ There is no good way for a connection to be automatically terminated.
|
|||
This is a problem for Road Warrior and Opportunistic connections.
|
||||
The \fB\-\-dontrekey\fP option does prevent the SAs from
|
||||
being rekeyed on expiry.
|
||||
Additonally, if a Road Warrior connection has a client subnet with a fixed IP
|
||||
Additionally, if a Road Warrior connection has a client subnet with a fixed IP
|
||||
address, a negotiation with that subnet will cause any other
|
||||
connection instantiations with that same subnet to be unoriented
|
||||
(deleted, in effect).
|
||||
|
|
|
@ -282,7 +282,7 @@ void whack_handle(int whackctlfd)
|
|||
{
|
||||
if (msg.magic == WHACK_BASIC_MAGIC)
|
||||
{
|
||||
/* Only shutdown command. Simpler inter-version compatability. */
|
||||
/* Only shutdown command. Simpler inter-version compatibility. */
|
||||
if (msg.whack_shutdown)
|
||||
{
|
||||
plog("shutting down");
|
||||
|
|
|
@ -1300,7 +1300,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
|||
* proposal is emitted into it.
|
||||
*
|
||||
* If "selection" is true, the SA is supposed to represent the
|
||||
* single tranform that the peer has accepted.
|
||||
* single transform that the peer has accepted.
|
||||
* ??? We only check that it is acceptable, not that it is one that we offered!
|
||||
*
|
||||
* Only IPsec DOI is accepted (what is the ISAKMP DOI?).
|
||||
|
|
|
@ -100,7 +100,7 @@ extern notification_t parse_ipsec_sa_body(
|
|||
pb_stream *sa_pbs, /* body of input SA Payload */
|
||||
const struct isakmp_sa *sa, /* header of input SA Payload */
|
||||
pb_stream *r_sa_pbs, /* if non-NULL, where to emit winning SA */
|
||||
bool selection, /* if this SA is a selection, only one tranform can appear */
|
||||
bool selection, /* if this SA is a selection, only one transform can appear */
|
||||
struct state *st); /* current state object */
|
||||
|
||||
extern void backup_pbs(pb_stream *pbs);
|
||||
|
|
|
@ -216,7 +216,7 @@ struct state *state_with_serialno(so_serial_t sn)
|
|||
}
|
||||
|
||||
/* Insert a state object in the hash table. The object is inserted
|
||||
* at the begining of list.
|
||||
* at the beginning of list.
|
||||
* Needs cookies, connection, and msgid.
|
||||
*/
|
||||
void insert_state(struct state *st)
|
||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
|||
private_key = $dir/duckKey.pem # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = host_ext # The extentions to add to the cert
|
||||
x509_extensions = host_ext # The extensions to add to the cert
|
||||
|
||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
||||
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||
|
||||
default_days = 1825 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
|
@ -78,7 +78,7 @@ default_bits = 1024
|
|||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
||||
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
|
||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
|||
private_key = $dir/strongswan_ecKey.pem # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = host_ext # The extentions to add to the cert
|
||||
x509_extensions = host_ext # The extensions to add to the cert
|
||||
|
||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
||||
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||
|
||||
default_days = 1825 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
|
@ -79,7 +79,7 @@ default_bits = 1024
|
|||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
||||
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
|
||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
|||
private_key = $dir/strongswanKey-monster.pem # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = host_ext # The extentions to add to the cert
|
||||
x509_extensions = host_ext # The extensions to add to the cert
|
||||
|
||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
||||
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||
|
||||
default_days = 10950 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
|
@ -79,7 +79,7 @@ default_bits = 1024
|
|||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
||||
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
|
||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
|||
private_key = $dir/strongswanKey.pem # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = host_ext # The extentions to add to the cert
|
||||
x509_extensions = host_ext # The extensions to add to the cert
|
||||
|
||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
||||
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||
|
||||
default_days = 1825 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
|
@ -79,7 +79,7 @@ default_bits = 1024
|
|||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
||||
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
|
||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
|||
private_key = $dir/researchKey.pem # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = host_ext # The extentions to add to the cert
|
||||
x509_extensions = host_ext # The extensions to add to the cert
|
||||
|
||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
||||
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||
|
||||
default_days = 1825 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
|
@ -78,7 +78,7 @@ default_bits = 2048
|
|||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
||||
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
|
||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
|||
private_key = $dir/strongswanKey.pem # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = host_ext # The extentions to add to the cert
|
||||
x509_extensions = host_ext # The extensions to add to the cert
|
||||
|
||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
||||
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||
|
||||
default_days = 1825 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
|
@ -79,7 +79,7 @@ default_bits = 1024
|
|||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
||||
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
|
||||
|
|
|
@ -36,9 +36,9 @@ crlnumber = $dir/crlnumber # The current CRL serial number
|
|||
private_key = $dir/salesKey.pem # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = host_ext # The extentions to add to the cert
|
||||
x509_extensions = host_ext # The extensions to add to the cert
|
||||
|
||||
crl_extensions = crl_ext # The extentions to add to the CRL
|
||||
crl_extensions = crl_ext # The extensions to add to the CRL
|
||||
|
||||
default_days = 1825 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
|
@ -78,7 +78,7 @@ default_bits = 2048
|
|||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = ca_ext # The extentions to add to the self signed cert
|
||||
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
|
||||
|
||||
|
|
|
@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
|||
in association with the <i>Authentication and Key Agreement</i> protocol
|
||||
(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
|
||||
in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
|
||||
Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
|
||||
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
|
||||
against <b>carol</b>.
|
||||
|
|
|
@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
|||
in association with an <i>MD5</i> challenge and response protocol
|
||||
(<b>EAP-MD5</b>) to authenticate against the gateway. The user password
|
||||
is kept in <b>ipsec.secrets</b> on both gateway and client
|
||||
Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
|
||||
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
|
||||
against <b>carol</b>.
|
||||
|
|
|
@ -4,5 +4,5 @@ in association with the <i>Microsoft CHAP version 2</i> protocol
|
|||
(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
|
||||
e.g. by the Windows 7 Agile VPN client.
|
||||
In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
|
||||
uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionaly uses an <b>RSA signature</b>
|
||||
uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionally uses an <b>RSA signature</b>
|
||||
to authenticate itself against <b>carol</b>.
|
||||
|
|
|
@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
|||
in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
|
||||
to authenticate against the gateway. In this scenario triplets from the file
|
||||
<b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card.
|
||||
Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate
|
||||
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate
|
||||
itself against <b>carol</b>.
|
||||
|
|
|
@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
|||
in association with the <i>Authentication and Key Agreement</i> protocol
|
||||
(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
|
||||
in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
|
||||
Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
|
||||
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
|
||||
against <b>carol</b>.
|
||||
|
|
Loading…
Reference in New Issue