Dear Strongswan maintainers, after cleaning up my pile of coredumps I want to get the patches upstream that I keep applying here. This one I already sent about a year ago: https://lists.strongswan.org/pipermail/users/2008-April/002414.html
It fixes an issue where a host accepts a big number of different CAs. When a roadwarrior initiates phase 1, all these possible CAs are sent as certificate request (CR) payloads. But most clients limit the number of acceptable payloads in a message (Strongswan: 40 payloads, Openswan/Freeswan: 20 payloads). So when the gateway accepts more than 16 CAs an Openswan-client can't establish a connection anymore (KE, NONCE, 16 CRs, 2 NAT-D = 20). This case is described in RFC 4945, section 3.2.7.2 and appendix B. The solution presented there is that the gateway should send an empty CR and let the client decide which certificate to send. I created the attached UML-testcase ikev1/crlimit which shows the problem. When you apply the attached strongswan-4.2-crlimit patch and add the global option "crlimit=16" to the config of moon the problem is solved. The strongswan-4.2-crdebug.patch helps debugging problems with certificate requests as they are now logged in a decoded way. It helped me finding CR- related problems several times in the past. It would be nice if you could either apply these patches to the next (non- security) release of strongswan or at least tell me how to improve them. Thank you very much. Kind regards, Gerd -- Address (better: trap) for people I really don't want to get mail from: jo...@cactusamerica.com
crlimit-test.tar.gz
Description: application/compressed-tar
diff -r -u strongswan-4.2.1.orig/src/pluto/ipsec_doi.c strongswan-4.2.1/src/pluto/ipsec_doi.c --- strongswan-4.2.1.orig/src/pluto/ipsec_doi.c 2008-04-15 13:43:07.000000000 +0200 +++ strongswan-4.2.1/src/pluto/ipsec_doi.c 2008-04-29 10:55:27.000000000 +0200 @@ -310,7 +310,13 @@ if (ca.ptr != NULL) { /* build CR body containing the distinguished name of the CA */ - if (!out_chunk(ca, &cr_pbs, "CA")) + char buf[BUF_LEN]; + DBG(DBG_PARSING | DBG_CONTROL, + dntoa_or_null(buf, BUF_LEN, ca, "%any"); + DBG_log("request CA: '%s'", buf); + ) + + if (!out_chunk(ca, &cr_pbs, "CA")) return FALSE; } close_output_pbs(&cr_pbs);
diff -u -r -p strongswan-4.2.9/src/pluto/certs.h strongswan.crlimit/src/pluto/certs.h --- strongswan-4.2.9/src/pluto/certs.h 2008-09-17 23:10:41.000000000 +0200 +++ strongswan.crlimit/src/pluto/certs.h 2008-12-23 14:39:50.000000000 +0100 @@ -61,6 +61,9 @@ extern const cert_t empty_cert; */ extern bool no_cr_send; +/* limit number of certificate requests, -1 for unlimited */ +extern int cr_limit; + extern err_t load_rsa_private_key(const char* filename, prompt_pass_t *pass , RSA_private_key_t *key); extern chunk_t get_mycert(cert_t cert); diff -u -r -p strongswan-4.2.9/src/pluto/ipsec_doi.c strongswan.crlimit/src/pluto/ipsec_doi.c --- strongswan-4.2.9/src/pluto/ipsec_doi.c 2008-09-17 23:10:41.000000000 +0200 +++ strongswan.crlimit/src/pluto/ipsec_doi.c 2008-12-23 14:39:50.000000000 +0100 @@ -259,9 +259,10 @@ build_and_ship_nonce(chunk_t *n, pb_stre return out_generic_chunk(np, &isakmp_nonce_desc, outs, *n, name); } -static bool +static unsigned int collect_rw_ca_candidates(struct msg_digest *md, generalName_t **top) { + unsigned int cacount=0; struct connection *d = find_host_connection(&md->iface->addr , pluto_port, (ip_address*)NULL, md->sender_port, LEMPTY); @@ -289,10 +290,11 @@ collect_rw_ca_candidates(struct msg_dige gn->name = d->spd.that.ca; gn->next = *top; *top = gn; + cacount++; } } } - return *top != NULL; + return cacount; } static bool @@ -3430,7 +3432,16 @@ main_inI2_outR2(struct msg_digest *md) { generalName_t *ca = NULL; - if (collect_rw_ca_candidates(md, &ca)) + unsigned int crno=collect_rw_ca_candidates(md, &ca); + if (cr_limit >= 0 && crno > cr_limit) + { + /* too many CRs: some clients ignore messages with too many payloads + send an empty CR according to RFC 4945, section 3.2.7.2 */ + free_generalNames(ca, FALSE); + crno=0; + } + + if (crno) { generalName_t *gn; diff -u -r -p strongswan-4.2.9/src/pluto/plutomain.c strongswan.crlimit/src/pluto/plutomain.c --- strongswan-4.2.9/src/pluto/plutomain.c 2008-09-17 23:10:41.000000000 +0200 +++ strongswan.crlimit/src/pluto/plutomain.c 2008-12-23 14:39:50.000000000 +0100 @@ -87,7 +87,8 @@ usage(const char *mess) " [--noklips]" " [--nocrsend]" " \\\n\t" - "[--strictcrlpolicy]" + "[--crlimit unlimited | <max_cr_no>]" + " [--strictcrlpolicy]" " [--crlcheckinterval <interval>]" " [--cachecrls]" " [--uniqueids]" @@ -200,6 +201,10 @@ delete_lock(void) /* by default pluto sends certificate requests to its peers */ bool no_cr_send = FALSE; +/* limits the number of certificate requests that are sent to a peer + -1 means unlimited, this is the default */ +int cr_limit = -1; + /* by default the CRL policy is lenient */ bool strict_crl_policy = FALSE; @@ -252,6 +257,7 @@ main(int argc, char **argv) { "stderrlog", no_argument, NULL, 'e' }, { "noklips", no_argument, NULL, 'n' }, { "nocrsend", no_argument, NULL, 'c' }, + { "crlimit", required_argument, NULL, 'L' }, { "strictcrlpolicy", no_argument, NULL, 'r' }, { "crlcheckinterval", required_argument, NULL, 'x'}, { "cachecrls", no_argument, NULL, 'C' }, @@ -358,6 +364,22 @@ main(int argc, char **argv) no_cr_send = TRUE; continue; + case 'L': /* --crlimit unlimited | <max_cr_no> */ + if (optarg == NULL) + usage("missing cr limit number"); + + if (strcmp("unlimited",optarg)==0) + cr_limit=-1; + else + { + char *endptr; + cr_limit = strtoul(optarg, &endptr, 10); + + if (*endptr != '\0' || endptr == optarg) + usage("cr limit must be 'unlimited' or a positive number"); + } + continue; + case 'r': /* --strictcrlpolicy */ strict_crl_policy = TRUE; continue; Nur in strongswan.crlimit/src/pluto: plutomain.c.orig. diff -u -r -p strongswan-4.2.9/src/starter/args.c strongswan.crlimit/src/starter/args.c --- strongswan-4.2.9/src/starter/args.c 2008-11-11 07:47:40.000000000 +0100 +++ strongswan.crlimit/src/starter/args.c 2008-12-23 14:39:50.000000000 +0100 @@ -177,6 +177,7 @@ static const token_info_t token_info[] = { ARG_ENUM, offsetof(starter_config_t, setup.cachecrls), LST_bool }, { ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_strict }, { ARG_ENUM, offsetof(starter_config_t, setup.nocrsend), LST_bool }, + { ARG_MISC, offsetof(starter_config_t, setup.cr_limit), NULL }, { ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool }, { ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL }, { ARG_ENUM, offsetof(starter_config_t, setup.force_keepalive), LST_bool }, @@ -652,6 +653,16 @@ cmp_args(kw_token_t first, kw_token_t la default: break; } + + /* KW_CRLIMIT is ARG_MISC so compare it manually */ + if (token == KW_CRLIMIT) + { + int *u1 = (int *)p1; + int *u2 = (int *)p2; + + if (*u1 != *u2) + return FALSE; + } } return TRUE; } Nur in strongswan.crlimit/src/starter: args.c.orig. diff -u -r -p strongswan-4.2.9/src/starter/confread.c strongswan.crlimit/src/starter/confread.c --- strongswan-4.2.9/src/starter/confread.c 2008-11-11 07:47:40.000000000 +0100 +++ strongswan.crlimit/src/starter/confread.c 2008-12-23 14:39:50.000000000 +0100 @@ -64,6 +64,10 @@ static void default_values(starter_confi cfg->setup.charonstart = TRUE; cfg->setup.plutostart = TRUE; + /* limit certificate requests + * magic values: -1: unlimited -2: use pluto default */ + cfg->setup.cr_limit = -2; + cfg->conn_default.seen = LEMPTY; cfg->conn_default.startup = STARTUP_NO; cfg->conn_default.state = STATE_IGNORE; @@ -116,6 +120,24 @@ load_setup(starter_config_t *cfg, config bool assigned = FALSE; kw_token_t token = kw->entry->token; + + if (token == KW_CRLIMIT) + { + if (streq(kw->value, "unlimited")) + cfg->setup.cr_limit = -1; + else + { + char *endptr; + cfg->setup.cr_limit = strtoul(kw->value, &endptr, 10); + + if (*endptr != '\0' || endptr == kw->value) + { + plog("# bad cr limit value: '%s' in config setup", kw->value); + cfg->err++; + continue; + } + } + } if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST) { Nur in strongswan.crlimit/src/starter: confread.c.orig. diff -u -r -p strongswan-4.2.9/src/starter/confread.h strongswan.crlimit/src/starter/confread.h --- strongswan-4.2.9/src/starter/confread.h 2008-11-11 07:47:40.000000000 +0100 +++ strongswan.crlimit/src/starter/confread.h 2008-12-23 14:39:50.000000000 +0100 @@ -182,6 +182,7 @@ struct starter_config { bool cachecrls; strict_t strictcrlpolicy; bool nocrsend; + int cr_limit; bool nat_traversal; u_int keep_alive; u_int force_keepalive; Nur in strongswan.crlimit/src/starter: confread.h.orig. diff -u -r -p strongswan-4.2.9/src/starter/invokepluto.c strongswan.crlimit/src/starter/invokepluto.c --- strongswan-4.2.9/src/starter/invokepluto.c 2008-11-12 02:26:19.000000000 +0100 +++ strongswan.crlimit/src/starter/invokepluto.c 2008-12-23 14:39:50.000000000 +0100 @@ -164,6 +164,20 @@ starter_start_pluto (starter_config_t *c { arg[argc++] = "--nocrsend"; } + if (cfg->setup.cr_limit != -2) + { + static char buf3[15]; + + arg[argc++] = "--crlimit"; + + if (cfg->setup.cr_limit == -1) + arg[argc++] = "unlimited"; + else + { + snprintf(buf3, sizeof(buf3), "%u", cfg->setup.cr_limit); + arg[argc++] = buf3; + } + } if (cfg->setup.nat_traversal) { arg[argc++] = "--nat_traversal"; diff -u -r -p strongswan-4.2.9/src/starter/keywords.c strongswan.crlimit/src/starter/keywords.c --- strongswan-4.2.9/src/starter/keywords.c 2008-11-11 08:09:12.000000000 +0100 +++ strongswan.crlimit/src/starter/keywords.c 2008-12-23 14:43:43.000000000 +0100 @@ -1,5 +1,5 @@ /* C code produced by gperf version 3.0.3 */ -/* Command-line: /usr/bin/gperf -C -G -t */ +/* Command-line: gperf -C -G -t keywords.txt */ /* Computed positions: -k'1-2,$' */ #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \ @@ -29,6 +29,7 @@ error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gp...@gnu.org>." #endif +#line 1 "keywords.txt" /* strongSwan keywords * Copyright (C) 2005 Andreas Steffen @@ -51,17 +52,18 @@ error "gperf generated tables don't work #include "keywords.h" +#line 24 "keywords.txt" struct kw_entry { char *name; kw_token_t token; }; -#define TOTAL_KEYWORDS 102 +#define TOTAL_KEYWORDS 103 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 6 -#define MAX_HASH_VALUE 248 -/* maximum key range = 243, duplicates = 0 */ +#define MIN_HASH_VALUE 11 +#define MAX_HASH_VALUE 219 +/* maximum key range = 209, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -77,198 +79,294 @@ hash (str, len) { static const unsigned char asso_values[] = { - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 25, - 10, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 110, 249, 0, - 100, 5, 75, 65, 90, 0, 249, 60, 10, 15, - 80, 60, 15, 249, 0, 50, 35, 15, 30, 249, - 0, 75, 0, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249, 249, 249, 249, 249, - 249, 249, 249, 249, 249, 249 + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 5, + 0, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 110, 220, 5, + 100, 5, 70, 65, 90, 0, 220, 60, 10, 75, + 80, 20, 15, 220, 0, 50, 35, 15, 10, 220, + 0, 75, 0, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220, 220, 220, 220, 220, + 220, 220, 220, 220, 220, 220 }; return len + asso_values[(unsigned char)str[1]] + asso_values[(unsigned char)str[0]] + asso_values[(unsigned char)str[len - 1]]; } static const struct kw_entry wordlist[] = { - {""}, {""}, {""}, {""}, {""}, {""}, - {"crluri", KW_CRLURI}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {"rekeyfuzz", KW_REKEYFUZZ}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, +#line 89 "keywords.txt" + {"crluri", KW_CRLURI}, +#line 91 "keywords.txt" {"crluri2", KW_CRLURI2}, - {""}, {""}, {""}, - {"certuribase", KW_CERTURIBASE}, {""}, +#line 72 "keywords.txt" + {"rekeyfuzz", KW_REKEYFUZZ}, + {""}, {""}, +#line 90 "keywords.txt" + {"crluri1", KW_CRLURI}, + {""}, {""}, {""}, {""}, {""}, +#line 120 "keywords.txt" {"rightfirewall", KW_RIGHTFIREWALL}, {""}, +#line 119 "keywords.txt" {"rightnatip", KW_RIGHTNATIP}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, +#line 95 "keywords.txt" + {"certuribase", KW_CERTURIBASE}, +#line 114 "keywords.txt" {"rightnexthop", KW_RIGHTNEXTHOP}, +#line 118 "keywords.txt" {"rightsourceip", KW_RIGHTSOURCEIP}, + {""}, +#line 52 "keywords.txt" + {"virtual_private", KW_VIRTUAL_PRIVATE}, +#line 44 "keywords.txt" + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, +#line 92 "keywords.txt" + {"ocspuri", KW_OCSPURI}, +#line 94 "keywords.txt" + {"ocspuri2", KW_OCSPURI2}, {""}, {""}, {""}, - {"crluri1", KW_CRLURI}, - {""}, {""}, {""}, {""}, +#line 103 "keywords.txt" {"leftfirewall", KW_LEFTFIREWALL}, - {""}, +#line 93 "keywords.txt" + {"ocspuri1", KW_OCSPURI}, +#line 102 "keywords.txt" {"leftnatip", KW_LEFTNATIP}, +#line 113 "keywords.txt" {"right", KW_RIGHT}, +#line 97 "keywords.txt" {"leftnexthop", KW_LEFTNEXTHOP}, +#line 101 "keywords.txt" {"leftsourceip", KW_LEFTSOURCEIP}, - {""}, +#line 36 "keywords.txt" + {"prepluto", KW_PREPLUTO}, +#line 126 "keywords.txt" {"rightcert", KW_RIGHTCERT}, {""}, +#line 115 "keywords.txt" {"rightsubnet", KW_RIGHTSUBNET}, - {""}, +#line 48 "keywords.txt" + {"crlimit", KW_CRLIMIT}, +#line 127 "keywords.txt" {"rightsendcert", KW_RIGHTSENDCERT}, +#line 117 "keywords.txt" {"rightprotoport", KW_RIGHTPROTOPORT}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, - {""}, {""}, {""}, + {""}, {""}, {""}, {""}, +#line 96 "keywords.txt" {"left", KW_LEFT}, - {""}, {""}, {""}, + {""}, +#line 43 "keywords.txt" + {"overridemtu", KW_OVERRIDEMTU}, + {""}, +#line 109 "keywords.txt" {"leftcert", KW_LEFTCERT,}, {""}, +#line 98 "keywords.txt" {"leftsubnet", KW_LEFTSUBNET}, +#line 129 "keywords.txt" {"rightgroups", KW_RIGHTGROUPS}, +#line 110 "keywords.txt" {"leftsendcert", KW_LEFTSENDCERT}, +#line 100 "keywords.txt" {"leftprotoport", KW_LEFTPROTOPORT}, - {""}, +#line 37 "keywords.txt" + {"postpluto", KW_POSTPLUTO}, +#line 121 "keywords.txt" {"righthostaccess", KW_RIGHTHOSTACCESS}, - {""}, - {"ocspuri", KW_OCSPURI}, + {""}, {""}, +#line 76 "keywords.txt" {"ike", KW_IKE}, {""}, +#line 32 "keywords.txt" {"plutostart", KW_PLUTOSTART}, {""}, {""}, +#line 75 "keywords.txt" {"esp", KW_ESP}, {""}, +#line 112 "keywords.txt" {"leftgroups", KW_LEFTGROUPS}, +#line 70 "keywords.txt" {"ikelifetime", KW_IKELIFETIME}, +#line 68 "keywords.txt" {"keylife", KW_KEYLIFE}, - {"ocspuri2", KW_OCSPURI2}, + {""}, +#line 104 "keywords.txt" {"lefthostaccess", KW_LEFTHOSTACCESS}, +#line 50 "keywords.txt" {"keep_alive", KW_KEEP_ALIVE}, +#line 61 "keywords.txt" {"keyexchange", KW_KEYEXCHANGE}, {""}, - {"prepluto", KW_PREPLUTO}, +#line 64 "keywords.txt" + {"compress", KW_COMPRESS}, {""}, +#line 73 "keywords.txt" {"rekey", KW_REKEY}, - {"mobike", KW_MOBIKE}, - {""}, + {""}, {""}, +#line 122 "keywords.txt" {"rightallowany", KW_RIGHTALLOWANY}, +#line 125 "keywords.txt" {"rightrsasigkey", KW_RIGHTRSASIGKEY}, {""}, +#line 123 "keywords.txt" {"rightupdown", KW_RIGHTUPDOWN}, +#line 57 "keywords.txt" {"pkcs11module", KW_PKCS11MODULE}, - {"ocspuri1", KW_OCSPURI}, +#line 39 "keywords.txt" + {"fragicmp", KW_FRAGICMP}, {""}, +#line 59 "keywords.txt" {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, +#line 69 "keywords.txt" {"rekeymargin", KW_REKEYMARGIN}, +#line 116 "keywords.txt" {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, - {"fragicmp", KW_FRAGICMP}, - {""}, + {""}, {""}, +#line 34 "keywords.txt" {"plutodebug", KW_PLUTODEBUG}, +#line 74 "keywords.txt" {"reauth", KW_REAUTH}, +#line 105 "keywords.txt" {"leftallowany", KW_LEFTALLOWANY}, +#line 108 "keywords.txt" {"leftrsasigkey", KW_LEFTRSASIGKEY}, +#line 38 "keywords.txt" {"plutostderrlog", KW_PLUTOSTDERRLOG}, +#line 106 "keywords.txt" {"leftupdown", KW_LEFTUPDOWN}, - {"mediated_by", KW_MEDIATED_BY}, +#line 55 "keywords.txt" + {"mobike", KW_MOBIKE}, +#line 124 "keywords.txt" {"rightid", KW_RIGHTID}, +#line 77 "keywords.txt" + {"pfsgroup", KW_PFSGROUP}, {""}, - {"mediation", KW_MEDIATION}, - {""}, +#line 51 "keywords.txt" + {"force_keepalive", KW_FORCE_KEEPALIVE}, +#line 99 "keywords.txt" {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {""}, - {"pfsgroup", KW_PFSGROUP}, - {""}, {""}, - {"overridemtu", KW_OVERRIDEMTU}, + {""}, {""}, {""}, {""}, {""}, +#line 128 "keywords.txt" {"rightca", KW_RIGHTCA}, - {"compress", KW_COMPRESS}, + {""}, +#line 62 "keywords.txt" {"type", KW_TYPE}, {""}, +#line 107 "keywords.txt" {"leftid", KW_LEFTID}, +#line 30 "keywords.txt" {"dumpdir", KW_DUMPDIR}, +#line 88 "keywords.txt" {"ldapbase", KW_LDAPBASE}, {""}, {""}, +#line 71 "keywords.txt" {"keyingtries", KW_KEYINGTRIES}, - {""}, {""}, - {"me_peerid", KW_ME_PEERID}, - {""}, + {""}, {""}, {""}, {""}, +#line 111 "keywords.txt" {"leftca", KW_LEFTCA}, {""}, +#line 53 "keywords.txt" {"eap", KW_EAP}, - {""}, {""}, - {"charonstart", KW_CHARONSTART}, - {""}, {""}, + {""}, {""}, {""}, {""}, +#line 63 "keywords.txt" + {"pfs", KW_PFS}, +#line 58 "keywords.txt" {"pkcs11initargs", KW_PKCS11INITARGS}, +#line 29 "keywords.txt" {"interfaces", KW_INTERFACES}, +#line 31 "keywords.txt" + {"charonstart", KW_CHARONSTART}, {""}, {""}, - {"pfs", KW_PFS}, - {"postpluto", KW_POSTPLUTO}, +#line 130 "keywords.txt" + {"also", KW_ALSO}, +#line 33 "keywords.txt" {"klipsdebug", KW_KLIPSDEBUG}, {""}, +#line 41 "keywords.txt" {"hidetos", KW_HIDETOS}, - {""}, {""}, - {"modeconfig", KW_MODECONFIG}, - {"cacert", KW_CACERT}, {""}, +#line 131 "keywords.txt" + {"auto", KW_AUTO}, + {""}, +#line 56 "keywords.txt" + {"forceencaps", KW_FORCEENCAPS}, + {""}, +#line 87 "keywords.txt" {"ldaphost", KW_LDAPHOST}, +#line 42 "keywords.txt" {"uniqueids", KW_UNIQUEIDS}, - {"force_keepalive", KW_FORCE_KEEPALIVE}, - {""}, {""}, {""}, {""}, + {""}, +#line 86 "keywords.txt" + {"cacert", KW_CACERT}, + {""}, {""}, {""}, +#line 79 "keywords.txt" {"dpdtimeout", KW_DPDTIMEOUT}, +#line 60 "keywords.txt" {"pkcs11proxy", KW_PKCS11PROXY}, {""}, {""}, {""}, {""}, - {"charondebug", KW_CHARONDEBUG}, +#line 84 "keywords.txt" + {"mediated_by", KW_MEDIATED_BY}, {""}, +#line 65 "keywords.txt" {"installpolicy", KW_INSTALLPOLICY}, - {"cachecrls", KW_CACHECRLS}, - {""}, {""}, {""}, - {"packetdefault", KW_PACKETDEFAULT}, +#line 83 "keywords.txt" + {"mediation", KW_MEDIATION}, +#line 81 "keywords.txt" + {"modeconfig", KW_MODECONFIG}, +#line 35 "keywords.txt" + {"charondebug", KW_CHARONDEBUG}, {""}, +#line 40 "keywords.txt" + {"packetdefault", KW_PACKETDEFAULT}, +#line 45 "keywords.txt" + {"cachecrls", KW_CACHECRLS}, +#line 46 "keywords.txt" {"strictcrlpolicy", KW_STRICTCRLPOLICY}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {"also", KW_ALSO}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {"auto", KW_AUTO}, - {""}, {""}, {""}, {""}, {""}, {""}, - {"forceencaps", KW_FORCEENCAPS}, - {""}, +#line 85 "keywords.txt" + {"me_peerid", KW_ME_PEERID}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, +#line 78 "keywords.txt" {"dpddelay", KW_DPDDELAY}, {""}, {""}, {""}, +#line 54 "keywords.txt" {"eap_identity", KW_EAP_IDENTITY}, {""}, +#line 80 "keywords.txt" {"dpdaction", KW_DPDACTION}, +#line 82 "keywords.txt" {"xauth", KW_XAUTH}, +#line 67 "keywords.txt" {"authby", KW_AUTHBY}, - {""}, {""}, {""}, {""}, {""}, {""}, + {""}, +#line 47 "keywords.txt" + {"nocrsend", KW_NOCRSEND}, + {""}, {""}, {""}, {""}, +#line 49 "keywords.txt" {"nat_traversal", KW_NAT_TRAVERSAL}, {""}, {""}, {""}, {""}, {""}, - {"auth", KW_AUTH}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {""}, - {"nocrsend", KW_NOCRSEND} +#line 66 "keywords.txt" + {"auth", KW_AUTH} }; #ifdef __GNUC__ diff -u -r -p strongswan-4.2.9/src/starter/keywords.h strongswan.crlimit/src/starter/keywords.h --- strongswan-4.2.9/src/starter/keywords.h 2008-11-11 07:47:40.000000000 +0100 +++ strongswan.crlimit/src/starter/keywords.h 2008-12-23 14:39:50.000000000 +0100 @@ -37,6 +37,7 @@ typedef enum { KW_CACHECRLS, KW_STRICTCRLPOLICY, KW_NOCRSEND, + KW_CRLIMIT, KW_NAT_TRAVERSAL, KW_KEEP_ALIVE, KW_FORCE_KEEPALIVE, diff -u -r -p strongswan-4.2.9/src/starter/keywords.txt strongswan.crlimit/src/starter/keywords.txt --- strongswan-4.2.9/src/starter/keywords.txt 2008-11-11 07:47:40.000000000 +0100 +++ strongswan.crlimit/src/starter/keywords.txt 2008-12-23 14:39:50.000000000 +0100 @@ -45,6 +45,7 @@ crlcheckinterval, KW_CRLCHECKINTERVAL cachecrls, KW_CACHECRLS strictcrlpolicy, KW_STRICTCRLPOLICY nocrsend, KW_NOCRSEND +crlimit, KW_CRLIMIT nat_traversal, KW_NAT_TRAVERSAL keep_alive, KW_KEEP_ALIVE force_keepalive, KW_FORCE_KEEPALIVE
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users