[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon From Frank Wille:

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/crypto/dist/ipsec-tools/src/racoon From Frank Wille:
From: christos <christos%NetBSD.org@localhost>
Date: Tue, 07 Apr 2020 05:59:37 +0000

details:   https://anonhg.NetBSD.org/src/rev/b091ddcbc6cd
branches:  trunk
changeset: 814161:b091ddcbc6cd
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Mar 09 22:27:17 2016 +0000

description:
>From Frank Wille:
Request "IKE mode config" in "rsasig" (certificates on both sides only)
authentication mode, if "mode_cfg" is configured to "on".
Tested with a Lancom router, using the following configuration:

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

remote "wpsd"
{
    remote_address 1.2.3.4;
    exchange_mode main,base;

    my_identifier asn1dn;
    certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
    ca_type x509 "ca.crt";

    mode_cfg on;
    dpd_delay 20;
    nat_traversal on;
    lifetime time 8 hour;
    script "phase1-up.sh" phase1_up;
    script "phase1-down.sh" phase1_down;

    proposal {
        encryption_algorithm aes;
        hash_algorithm md5;
        authentication_method rsasig;
        dh_group 2;
    }
    proposal_check obey;
}

sainfo anonymous
{
    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm aes;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
}

diffstat:

 crypto/dist/ipsec-tools/src/racoon/isakmp.c       |  10 +++++++++-
 crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c   |   4 +++-
 crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c |   3 ++-
 3 files changed, 14 insertions(+), 3 deletions(-)

diffs (73 lines):

diff -r d5c7f3d27211 -r b091ddcbc6cd crypto/dist/ipsec-tools/src/racoon/isakmp.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c       Wed Mar 09 20:55:22 2016 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c       Wed Mar 09 22:27:17 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: isakmp.c,v 1.74 2012/01/01 15:57:31 tteras Exp $       */
+/*     $NetBSD: isakmp.c,v 1.75 2016/03/09 22:27:17 christos Exp $     */
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -890,6 +890,10 @@
                                /* XXX Don't process INITIAL_CONTACT */
                                iph1->rmconf->ini_contact = 0;
                                break;
+                       case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+                               if (iph1->rmconf->mode_cfg)
+                                       error = isakmp_cfg_getconfig(iph1);
+                               break;
                        default:
                                break;
                        }
@@ -945,6 +949,10 @@
                                break;
                        }
                }
+               if ((iph1->rmconf->mode_cfg) &&
+                   !(iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH)) {
+                       error = isakmp_cfg_getconfig(iph1);
+               }
        }
 
        return 0;
diff -r d5c7f3d27211 -r b091ddcbc6cd crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c   Wed Mar 09 20:55:22 2016 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c   Wed Mar 09 22:27:17 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $   */
+/*     $NetBSD: isakmp_cfg.c,v 1.26 2016/03/09 22:27:17 christos Exp $ */
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -457,6 +457,7 @@
                case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
                case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 
                case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 
+               case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
                        script_hook(iph1, SCRIPT_PHASE1_UP);
                        break;
                default:
@@ -639,6 +640,7 @@
                case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
                case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 
                case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 
+               case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
                        script_hook(iph1, SCRIPT_PHASE1_UP);
                        break;
                default:
diff -r d5c7f3d27211 -r b091ddcbc6cd crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c Wed Mar 09 20:55:22 2016 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c Wed Mar 09 22:27:17 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: isakmp_ident.c,v 1.13 2009/09/18 10:31:11 tteras Exp $ */
+/*     $NetBSD: isakmp_ident.c,v 1.14 2016/03/09 22:27:17 christos Exp $       */
 
 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
 
@@ -172,6 +172,7 @@
                        plist = isakmp_plist_append(plist,
                            vid_xauth, ISAKMP_NPTYPE_VID);
 
+       case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
                if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
                        plog(LLV_ERROR, LOCATION, NULL,
                             "Unity vendor ID generation failed\n");

Prev by Date: [src/trunk]: src/doc BIND 9.10.3-P4 has released.
Next by Date: [src/trunk]: src/external/gpl3/gcc.old/dist/gcc Do the same song and dance fo...
Previous by Thread: [src/trunk]: src/doc BIND 9.10.3-P4 has released.
Next by Thread: [src/trunk]: src/external/gpl3/gcc.old/dist/gcc Do the same song and dance fo...
Indexes:

Home | Main Index | Thread Index | Old Index