for low-exponent keys (i.e. with e=3). CVE-2018-16151 has been assigned to
the problem of accepting random bytes after the OID of the hash function in
such signatures, and CVE-2018-16152 has been assigned to the issue of not
- verifying that the parameters in the ASN.1 algorithmIdentitifer structure is
+ verifying that the parameters in the ASN.1 algorithmIdentifier structure is
empty. Other flaws that don't lead to a vulnerability directly (e.g. not
checking for at least 8 bytes of padding) have no separate CVE assigned.
- In the bliss plugin the c_indices derivation using a SHA-512 based random
oracle has been fixed, generalized and standardized by employing the MGF1 mask
- generation function with SHA-512. As a consequence BLISS signatures unsing the
+ generation function with SHA-512. As a consequence BLISS signatures using the
improved oracle are not compatible with the earlier implementation.
- Support for auto=route with right=%any for transport mode connections has
- The PA-TNC and PB-TNC protocols can now process huge data payloads
>64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
and these messages over several PB-TNC batches. As long as no
- consolidated recommandation from all IMVs can be obtained, the TNC
+ consolidated recommendation from all IMVs can be obtained, the TNC
server requests more client data by sending an empty SDATA batch.
- The rightgroups2 ipsec.conf option can require group membership during
- The nm plugin also accepts CA certificates for gateway authentication. If
a CA certificate is configured, strongSwan uses the entered gateway address
- as its idenitity, requiring the gateways certificate to contain the same as
+ as its identity, requiring the gateways certificate to contain the same as
subjectAltName. This allows a gateway administrator to deploy the same
certificates to Windows 7 and NetworkManager clients.
Initiators and responders can use several authentication rounds (e.g. RSA
followed by EAP) to authenticate. The new ipsec.conf leftauth/rightauth and
leftauth2/rightauth2 parameters define own authentication rounds or setup
- constraints for the remote peer. See the ipsec.conf man page for more detials.
+ constraints for the remote peer. See the ipsec.conf man page for more details.
- If glibc printf hooks (register_printf_function) are not available,
strongSwan can use the vstr string library to run on non-glibc systems.
- Added support for preshared keys in IKEv2. PSK keys configured in
ipsec.secrets are loaded. The authby parameter specifies the authentication
- method to authentificate ourself, the other peer may use PSK or RSA.
+ method to authenticate ourself, the other peer may use PSK or RSA.
- Changed retransmission policy to respect the keyingtries parameter.
left|rightfirewall keyword causes the automatic insertion
and deletion of ACCEPT rules for tunneled traffic upon
the successful setup and teardown of an IPsec SA, respectively.
- left|rightfirwall can be used with KLIPS under any Linux 2.4
+ left|rightfirewall can be used with KLIPS under any Linux 2.4
kernel or with NETKEY under a Linux kernel version >= 2.6.16
in conjunction with iptables >= 1.3.5. For NETKEY under a Linux
kernel version < 2.6.16 which does not support IPsec policy
to replace the various shell and awk starter scripts (setup, _plutoload,
_plutostart, _realsetup, _startklips, _confread, and auto). Since
ipsec.conf is now parsed only once, the starting of multiple tunnels is
- accelerated tremedously.
+ accelerated tremendously.
- Added support of %defaultroute to the ipsec starter. If the IP address
changes, a HUP signal to the ipsec starter will automatically
- Under the native IPsec of the Linux 2.6 kernel, a %trap eroute
installed either by setting auto=route in ipsec.conf or by
- a connection put into hold, generates an XFRM_AQUIRE event
+ a connection put into hold, generates an XFRM_ACQUIRE event
for each packet that wants to use the not-yet existing
- tunnel. Up to now each XFRM_AQUIRE event led to an entry in
+ tunnel. Up to now each XFRM_ACQUIRE event led to an entry in
the Quick Mode queue, causing multiple IPsec SA to be
established in rapid succession. Starting with strongswan-2.5.1
only a single IPsec SA is established per host-pair connection.
conn rw1
right=%any
- righsubnet=10.4.0.5/32
+ rightsubnet=10.4.0.5/32
conn rw2
right=%any
certificates.
charon.plugins.load-tester.delay = 0
- Delay between initiatons for each thread.
+ Delay between initiations for each thread.
charon.plugins.load-tester.delete_after_established = no
Delete an IKE_SA as soon as it has been established.
Number of concurrent initiator threads to use in load test.
charon.plugins.load-tester.initiator_auth = pubkey
- Authentication method(s) the intiator uses.
+ Authentication method(s) the initiator uses.
charon.plugins.load-tester.initiator_id =
Initiator ID used in load test.
libipsec library messages
.TP
.B lib
-libstrongwan library messages
+libstrongswan library messages
.TP
.B tnc
Trusted Network Connect
ARG_WITH_SUBST([ipsecdir], [${libexecdir%/}/ipsec], [set installation path for ipsec tools])
ARG_WITH_SUBST([ipseclibdir], [${libdir%/}/ipsec], [set installation path for ipsec libraries])
ARG_WITH_SUBST([plugindir], [${ipseclibdir%/}/plugins], [set the installation path of plugins])
-ARG_WITH_SUBST([imcvdir], [${ipseclibdir%/}/imcvs], [set the installation path of IMC and IMV dynamic librariers])
+ARG_WITH_SUBST([imcvdir], [${ipseclibdir%/}/imcvs], [set the installation path of IMC and IMV dynamic libraries])
ARG_WITH_SUBST([nm-ca-dir], [/usr/share/ca-certificates], [directory the NM backend uses to look up trusted root certificates])
ARG_WITH_SUBST([swanctldir], [${sysconfdir}/swanctl], [base directory for swanctl configuration files and credentials])
ARG_WITH_SUBST([linux-headers], [\${top_srcdir}/src/include], [set directory of linux header files to use])
AC_SUBST(tss2_LIBS, "$tss2_sys_LIBS")
else
PKG_CHECK_MODULES(tss2_tabrmd, [tcti-tabrmd],
- [tss2_tabrmd=true; AC_DEFINE([TSS2_TCTI_TABRMD], [], [use TCTI Access Broker and Resource Mamager])],
+ [tss2_tabrmd=true; AC_DEFINE([TSS2_TCTI_TABRMD], [], [use TCTI Access Broker and Resource Manager])],
[tss2_tabrmd=false])
PKG_CHECK_MODULES(tss2_socket, [tcti-socket],
[tss2_socket=true; AC_DEFINE([TSS2_TCTI_SOCKET], [], [use TCTI Sockets])],
nm_creds_t *creds;
/**
- * attribute handler regeisterd at the daemon
+ * attribute handler registered at the daemon
*/
nm_handler_t *handler;
};
return FALSE;
}
}
- /* ... or certificate/private key authenitcation */
+ /* ... or certificate/private key authentication */
else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert")))
{
public_key_t *public;
/**
* Return id of remote identity.
*
- * TODO: Replace this with the lookup for the remote identitiy id.
+ * TODO: Replace this with the lookup for the remote identity id.
*
* Currently the reqid of the first child SA in peer config of IKE SA is
* returned. Might choose wrong reqid if IKE SA has multiple child configs
lts: Local side traffic selectors, comma separated CIDR subnets
rts: Remote side traffic selectors, comma separated CIDR subnets
transport: Propose IPsec transport mode instead of tunnel mode
- tfc_padding: Inject Traffic Flow Confidentialty bytes to align packets to the
+ tfc_padding: Inject Traffic Flow Confidentiality bytes to align packets to the
given length
proposal: CHILD_SA proposal list, same syntax as IKE_SA proposal list
request: yes to set in request, no in response
id: IKEv2 message identifier of message to mangle
from: proposal number to mangle
- to: new porposal number to set instead of from
+ to: new proposal number to set instead of from
set_reserved: set arbitrary reserved bits/bytes in payloads
request: yes to set in request, no in response
id: IKEv2 message identifier of message to mangle
}
/**
- * Load certificates from the confiuguration file
+ * Load certificates from the configuration file
*/
static bool load_certs(settings_t *settings, char *dir)
{
}
/**
- * Load private keys from the confiuguration file
+ * Load private keys from the configuration file
*/
static bool load_keys(settings_t *settings, char *dir)
{
};
/**
- * Callback registrered with libipsec.
+ * Callback registered with libipsec.
*/
static void expire(uint8_t protocol, uint32_t spi, host_t *dst, bool hard)
{
)
AC_ARG_WITH(
[libnm-glib],
- AS_HELP_STRING([--without-libnm-glib], [build NetworkManager-strongswan without libnm-glib comatibility]),
+ AS_HELP_STRING([--without-libnm-glib], [build NetworkManager-strongswan without libnm-glib compatibility]),
[with_libnm_glib=no],
[with_libnm_glib=yes]
)
</packing>
</child>
<child>
- <object class="GtkAlignment" id="gateway-alignement">
+ <object class="GtkAlignment" id="gateway-alignment">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="left_padding">12</property>
</packing>
</child>
<child>
- <object class="GtkAlignment" id="client-aligement">
+ <object class="GtkAlignment" id="client-alignment">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="left_padding">12</property>
</packing>
</child>
<child>
- <object class="GtkAlignment" id="options-alignement">
+ <object class="GtkAlignment" id="options-alignment">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="left_padding">12</property>
#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
/*
- * Generic LSM security context for comunicating to user space
+ * Generic LSM security context for communicating to user space
* NOTE: Same format as sadb_x_sec_ctx
*/
struct xfrm_user_sec_ctx {
/**
* Handle a configuration attribute.
*
- * After receiving a configuration attriubte, it is passed to each
+ * After receiving a configuration attribute, it is passed to each
* attribute handler until it is handled.
*
* @param ike_sa IKE_SA under which attribute is received
enumerator_t *inner;
/** IKE_SA to request attributes for */
ike_sa_t *ike_sa;
- /** virtual IPs we are requesting along with attriubutes */
+ /** virtual IPs we are requesting along with attributes */
linked_list_t *vips;
} initiator_enumerator_t;
* Lease entry.
*/
typedef struct {
- /* identitiy reference */
+ /* identity reference */
identification_t *id;
/* array of online leases, as unique_lease_t */
array_t *online;
* CHILD_SA migration hook.
*
* @param new ID of new SA when called for the old, NULL otherwise
- * @param uniue unique ID of new SA when called for the old, 0 otherwise
+ * @param unique unique ID of new SA when called for the old, 0 otherwise
*/
void (*children_migrate)(bus_t *this, ike_sa_id_t *new, uint32_t unique);
uint32_t reqid;
/**
- * Optionl interface ID to use for inbound CHILD_SA
+ * Optional interface ID to use for inbound CHILD_SA
*/
uint32_t if_id_in;
/**
- * Optionl interface ID to use for outbound CHILD_SA
+ * Optional interface ID to use for outbound CHILD_SA
*/
uint32_t if_id_out;
/**
* Select a proposal from a supplied list.
*
- * Returned propsal is newly created and must be destroyed after usage.
+ * Returned proposal is newly created and must be destroyed after usage.
*
* @param proposals list from which proposals are selected
* @param flags flags to consider during proposal selection
* side, one for the remote side.
* If a list with traffic selectors is supplied, these are used to narrow
* down the traffic selector list to the greatest common divisor.
- * Some traffic selector may be "dymamic", meaning they are narrowed down
+ * Some traffic selector may be "dynamic", meaning they are narrowed down
* to a specific address (host-to-host or virtual-IP setups). Use
* the "host" parameter to narrow such traffic selectors to that address.
* Resulted list and its traffic selectors must be destroyed after use.
linked_list_t *remote_auth;
/**
- * Optionl interface ID to use for inbound CHILD_SA
+ * Optional interface ID to use for inbound CHILD_SA
*/
uint32_t if_id_in;
/**
- * Optionl interface ID to use for outbound CHILD_SA
+ * Optional interface ID to use for outbound CHILD_SA
*/
uint32_t if_id_out;
ike_version_t (*get_ike_version)(peer_cfg_t *this);
/**
- * Get the IKE config to use for initiaton.
+ * Get the IKE config to use for initiation.
*
* @return the IKE config to use
*/
* synchronization:
* Each IKE_SA must be checked out strictly and checked in again after use. The
* manager guarantees that only one thread may check out a single IKE_SA. This
- * allows us to write the (complex) IKE_SAs routines non-threadsave.
+ * allows us to write the (complex) IKE_SAs routines non-threadsafe.
* The IKE_SA contain the state and the logic of each IKE_SA and handle the
* messages.
*
/* Payload type */
payload_type_t type;
/* Minimal occurrence of this payload. */
- size_t min_occurence;
+ size_t min_occurrence;
/* Max occurrence of this payload. */
- size_t max_occurence;
+ size_t max_occurrence;
/* TRUE if payload must be encrypted */
bool encrypted;
/* If payload occurs, the message rule is fulfilled */
/**
* Generates the message, if needed, wraps the payloads in an encrypted payload.
*
- * The generator and the possible enrypted payload are returned. The latter
+ * The generator and the possible encrypted payload are returned. The latter
* is not yet encrypted (but the transform is set). It is also not added to
* the payload list (so unless there are unencrypted payloads that list will
* be empty afterwards).
found++;
DBG2(DBG_ENC, "found payload of type %N",
payload_type_names, type);
- if (found > rule->max_occurence)
+ if (found > rule->max_occurrence)
{
DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
"occurred in current message", payload_type_names,
- type, rule->max_occurence, found);
+ type, rule->max_occurrence, found);
enumerator->destroy(enumerator);
return VERIFY_ERROR;
}
}
enumerator->destroy(enumerator);
- if (!complete && found < rule->min_occurence)
+ if (!complete && found < rule->min_occurrence)
{
DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
- payload_type_names, rule->type, rule->min_occurence, found);
+ payload_type_names, rule->type, rule->min_occurrence, found);
return VERIFY_ERROR;
}
if (found && rule->sufficient)
/* base pointer for output, avoids casting in every rule */
output = pld;
- /* parse the payload with its own rulse */
+ /* parse the payload with its own rules */
rule_count = pld->get_encoding_rules(pld, &this->rules);
for (rule_number = 0; rule_number < rule_count; rule_number++)
{
return PARSE_ERROR;
}
}
- /* process next rulue */
+ /* process next rule */
rule++;
}
/**
* Creates an enumerator of stored configuration_attribute_t objects.
*
- * @return enumerator over configration_attribute_T
+ * @return enumerator over configuration_attribute_t
*/
enumerator_t *(*create_attribute_enumerator) (cp_payload_t *this);
{ RESERVED_BIT, offsetof(private_eap_payload_t, reserved[6]) },
/* Length of the whole payload*/
{ PAYLOAD_LENGTH, offsetof(private_eap_payload_t, payload_length) },
- /* chunt to data, starting at "code" */
+ /* chunk to data, starting at "code" */
{ CHUNK_DATA, offsetof(private_eap_payload_t, data) },
};
/**
* Representing a spi field.
*
- * When generating the content of the chunkt pointing to
+ * When generating the content of the chunk pointing to
* is written.
*
* When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
* this field is available or missing and so parsed/generated
* or not parsed/not generated.
*
- * When generating the content of the chunkt pointing to
+ * When generating the content of the chunk pointing to
* is written.
*
* When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
* Depending on the last field of type TS_TYPE
* this field is either 4 or 16 byte long.
*
- * When generating the content of the chunkt pointing to
+ * When generating the content of the chunk pointing to
* is written.
*
* When parsing 4 or 16 bytes are read and written into the chunk pointing to.
* Representing an IKE_SPI field in an IKEv2 Header.
*
* When generating the value of the uint64_t pointing to
- * is written (host and networ order is not changed).
+ * is written (host and network order is not changed).
*
* When parsing 8 bytes are read and written into the uint64_t pointing to.
*/
ENCRYPTED_DATA,
/**
- * Reprensenting a field containing a set of wrapped payloads.
+ * Representing a field containing a set of wrapped payloads.
*
* This type is not used directly, but as an offset to the wrapped payloads.
* The type of the wrapped payload is added to this encoding type.
/**
* Get the fragment data.
*
- * @return chunkt to internal fragment data
+ * @return chunk to internal fragment data
*/
chunk_t (*get_data)(fragment_payload_t *this);
/**
* Get the hash value.
*
- * @return chunkt to internal hash data
+ * @return chunk to internal hash data
*/
chunk_t (*get_hash) (hash_payload_t *this);
* Create an IKEv1 ID_ADDR_SUBNET/RANGE identity from a traffic selector.
*
* @param ts traffic selector
- * @return PLV1_ID id_paylad_t object.
+ * @return PLV1_ID id_payload_t object.
*/
id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
PLV2_NONCE = 40,
/**
- * Notify paylaod (N).
+ * Notify payload (N).
*/
PLV2_NOTIFY = 41,
PLV2_DELETE = 42,
/**
- * Vendor id paylpoad (V).
+ * Vendor id payload (V).
*/
PLV2_VENDOR_ID = 43,
size_t (*get_length) (payload_t *this);
/**
- * Verifies payload structure and makes consistence check.
+ * Verifies payload structure and makes consistency check.
*
- * @return SUCCESS, FAILED if consistence not given
+ * @return SUCCESS, FAILED if consistency not given
*/
status_t (*verify) (payload_t *this);
*
* Useful for the parser, who wants a generic constructor for all payloads.
* It supports all payload_t methods. If a payload type is not known,
- * an unknwon_paylod is created with the chunk of data in it.
+ * an unknown_payload is created with the chunk of data in it.
*
* @param type type of the payload to create
* @return payload_t object
bool (*get_cpi) (proposal_substructure_t *this, uint16_t *cpi);
/**
- * Get proposals contained in a propsal_substructure_t.
+ * Get proposals contained in a proposal_substructure_t.
*
* @param list list to add created proposals to
*/
traffic_selector_substructure_t *traffic_selector_substructure_create(void);
/**
- * Creates an initialized traffif selector substructure using
+ * Creates an initialized traffic selector substructure using
* the values from a traffic_selector_t.
*
* @param traffic_selector traffic_selector_t to use for initialization
*
* @param virtual_ip virtual ip address to remove
* @param prefix prefix length of the IP to uninstall, -1 for auto
- * @param wait TRUE to wait untily IP is gone
+ * @param wait TRUE to wait until IP is gone
* @return SUCCESS if operation completed
*/
status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip,
/**
* Check if interfaces are excluded by config.
*
- * @return TRUE if no interfaces are exclued by config
+ * @return TRUE if no interfaces are excluded by config
*/
bool (*all_interfaces_usable)(kernel_interface_t *this);
traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
/**
- * Hook called if an exire event for an IPsec SA is received.
+ * Hook called if an expire event for an IPsec SA is received.
*
* @param protocol protocol of the expired SA
* @param spi spi of the expired SA
*
* @param protocol IPsec protocol of affected SA
* @param spi spi of the SA
- * @param dst old destinatino address of SA
+ * @param dst old destination address of SA
* @param remote new remote host
* @return TRUE to remain registered, FALSE to unregister
*/
/* We don't disable cookies unless we haven't seen IKE_SA_INITs
* for COOKIE_CALMDOWN_DELAY seconds. This avoids jittering between
* cookie on / cookie off states, which is problematic. Consider the
- * following: A legitimiate initiator sends a IKE_SA_INIT while we
+ * following: A legitimate initiator sends a IKE_SA_INIT while we
* are under a DoS attack. If we toggle our cookie behavior,
* multiple retransmits of this IKE_SA_INIT might get answered with
* and without cookies. The initiator goes on and retries with
struct dhcp_provider_t {
/**
- * Implements attribute_provier_t interface.
+ * Implements attribute_provider_t interface.
*/
attribute_provider_t provider;
* @param id user identity
* @param[out] k (16 byte) scratchpad to receive secret key K
* @param[out] opc (16 byte) scratchpad to receive operator variant key
- * derivate OPc
+ * derivative OPc
*/
bool eap_aka_3gpp_get_k_opc(identification_t *id, uint8_t k[AKA_K_LEN],
uint8_t opc[AKA_OPC_LEN]);
* f1 : Calculate MAC-A from RAND, SQN, AMF using K and OPc
*
* @param k (128 bit) secret key K
- * @param opc (128 bit) operator variant key derivate OPc
+ * @param opc (128 bit) operator variant key derivative OPc
* @param rand (128 bit) random value RAND
* @param sqn (48 bit) sequence number SQN
* @param amf (16 bit) authentication management field AMF
* f1* : Calculate MAC-S from RAND, SQN, AMF using K and OPc
*
* @param k (128 bit) secret key K
- * @param opc (128 bit) operator variant key derivate OPc
+ * @param opc (128 bit) operator variant key derivative OPc
* @param rand (128 bit) random value RAND
* @param sqn (48 bit) sequence number SQN
* @param amf (16 bit) authentication management field AMF
* f5 : Calculates AK from RAND using K and OPc
*
* @param k (128 bit) secret key K
- * @param opc (128 bit) operator variant key derivate OPc
+ * @param opc (128 bit) operator variant key derivative OPc
* @param rand (128 bit) random value RAND
* @param[out] res (64 bit) scratchpad to receive signed response RES
* @param[out] ck (128 bit) scratchpad to receive encryption key CK
* f5* : Calculates resync AKS from RAND using K and OPc
*
* @param k (128 bit) secret key K
- * @param opc (128 bit) operator variant key derivate OPc
+ * @param opc (128 bit) operator variant key derivative OPc
* @param rand (128 bit) random value RAND
* @param[out] aks (48 bit) scratchpad to receive resync anonymity key AKS
* @return TRUE if calculations successful
identification_t *peer;
/**
- * EAP message identififier
+ * EAP message identifier
*/
uint8_t identifier;
};
/* delay the response for some time to make brute-force attacks harder */
sleep(RETRY_DELAY);
- /* since the error is retryable the state does not change, we still
+ /* since the error is retriable the state does not change, we still
* expect an MSCHAPV2_RESPONSE from the peer */
return NEED_MORE;
}
}
/**
- * Handle Session-Timeout attribte and Interim updates
+ * Handle Session-Timeout attribute and Interim updates
*/
static void process_timeout(radius_message_t *msg)
{
}
writer->write_data(writer, net->get_address(net));
writer->write_data(writer, mask->get_address(mask));
- padding = writer->skip(writer, 6); /* 6 bytes pdding */
+ padding = writer->skip(writer, 6); /* 6 bytes padding */
memset(padding.ptr, 0, padding.len);
mask->destroy(mask);
net->destroy(net);
* @{ @ingroup eap_simaka_pseudonym
*/
-#ifndef EAP_SIMAKA_PSEDUONYM_PROVIDER_H_
-#define EAP_SIMAKA_PSEDUONYM_PROVIDER_H_
+#ifndef EAP_SIMAKA_PSEUDONYM_PROVIDER_H_
+#define EAP_SIMAKA_PSEUDONYM_PROVIDER_H_
#include <simaka_provider.h>
*/
eap_simaka_pseudonym_provider_t *eap_simaka_pseudonym_provider_create();
-#endif /** EAP_SIMAKA_PSEDUONYM_PROVIDER_H_ @}*/
+#endif /** EAP_SIMAKA_PSEUDONYM_PROVIDER_H_ @}*/
* Create an enumerator over active tunnels.
*
* The enumerator enumerates over local or remote traffic selectors,
- * associated firewall marks and if decasulated packets should get
+ * associated firewall marks and if decapsulated packets should get
* reinjected into other tunnels.
*
* @param local TRUE to enumerate local, FALSE to enumerate remote TS
}
/**
- * Segmentate a calculated hash
+ * Segment a calculated hash
*/
static u_int hash2segment(private_ha_kernel_t *this, uint64_t hash)
{
/**
* Get the segment an arbitrary integer is in.
*
- * @param n integer to segmentate
+ * @param n integer to segment
*/
u_int (*get_segment_int)(ha_kernel_t *this, int n);
bool heartbeat_active;
/**
- * Interval we send hearbeats
+ * Interval we send heartbeats
*/
int heartbeat_delay;
.prefixlen = policy->dst.mask,
);
#ifndef __linux__
- /* on Linux we cant't install a gateway */
+ /* on Linux we can't install a gateway */
route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1, src,
NULL);
#endif
typedef struct {
/** policy source addresses */
traffic_selector_t *src;
- /** policy destinaiton addresses */
+ /** policy destination addresses */
traffic_selector_t *dst;
/** WFP allocated LUID for inbound filter ID */
uint64_t policy_in;
if (this->initiator_id)
{
if (this->initiator_match && (!local && !num))
- { /* as responder, use the secified identity that matches
+ { /* as responder, use the specified identity that matches
* all used initiator identities, if given. */
snprintf(buf, sizeof(buf), this->initiator_match, rnd);
id = identification_create_from_string(buf);
bool set_source;
/**
- * TRUE to force sending source interface on outbound packetrs
+ * TRUE to force sending source interface on outbound packets
*/
bool set_sourceif;
* otherwise returns the same certificate.
*
* @param cert certificate to check
- * @return reference to stored CA certifiate, or original
+ * @return reference to stored CA certificate, or original
*/
certificate_t *(*get_cert_ref)(stroke_ca_t *this, certificate_t *cert);
{
return TRUE;
}
- /* add default porposal to the end if not strict */
+ /* add default proposal to the end if not strict */
}
if (ike_cfg)
{
* Reread secrets from config files.
*
* @param msg stroke message
- * @param prompt I/O channel to prompt for private key passhprase
+ * @param prompt I/O channel to prompt for private key passphrase
*/
void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt);
typedef struct {
/** implements enumerator */
enumerator_t public;
- /** inneer UCI enumerator */
+ /** inner UCI enumerator */
enumerator_t *inner;
/** currently enumerated shared shared */
shared_key_t *current;
struct unity_provider_t {
/**
- * Implements attribute_provier_t interface.
+ * Implements attribute_provider_t interface.
*/
attribute_provider_t provider;
The _Vici::Session_ module provides a _new()_ constructor for a high level
interface, the underlying _Vici::Packet_ and _Vici::Transport_ classes are
usually not required to build Perl applications using VICI. The _Vici::Session_
-class provides methods for the supported VICI commands. The auxiliare
+class provides methods for the supported VICI commands. The auxiliary
_Vici::Message_ class is used to encode configuration parameters sent to
the daemon and decode data returned by the daemon.
char* vici_parse_name(vici_res_t *res);
/**
- * Compare name tag / key of a previusly parsed element.
+ * Compare name tag / key of a previously parsed element.
*
* This call is valid only after vici_parse() returned VICI_PARSE_KEY_VALUE,
* VICI_PARSE_BEGIN_SECTION or VICI_PARSE_BEGIN_LIST.
The strongSwan VICI protocol allows external application to monitor,
configure and control the IKE daemon charon. This Ruby Gem provides a
native client side implementation of the VICI protocol, well suited to
- script automated tasks in a relaible way.
+ script automated tasks in a reliable way.
}
s.summary = "Native Ruby interface for strongSwan VICI"
s.homepage = "https://wiki.strongswan.org/projects/strongswan/wiki/Vici"
struct authority_t {
/**
- * Name of the certification authoritiy
+ * Name of the certification authority
*/
char *name;
/**
* Queue a message for async processing
*/
-static void queue_messsage(private_vici_logger_t *this, vici_message_t *message)
+static void queue_message(private_vici_logger_t *this, vici_message_t *message)
{
this->queue->insert_last(this->queue, message);
if (this->queue->get_count(this->queue) == 1)
message = builder->finalize(builder);
if (message)
{
- queue_messsage(this, message);
+ queue_message(this, message);
}
}
this->recursive--;
* Create a vici_logger instance.
*
* @param dispatcher dispatcher to receive requests from
- * @return loggerential backend
+ * @return logger backend
*/
vici_logger_t *vici_logger_create(vici_dispatcher_t *dispatcher);
}
/**
- * Read in available header with data, non-blocking cumulating to buffer
+ * Read in available header with data, non-blocking accumulating to buffer
*/
static bool do_read(private_vici_socket_t *this, entry_t *entry,
stream_t *stream, char *errmsg, size_t errlen)
* Class representing an DELETE_IKE_SA Job.
*
* This job is responsible for deleting established or half open IKE_SAs.
- * A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED
+ * A half open IKE_SA is every IKE_SA which hasn't reached the SA_ESTABLISHED
* state.
*/
struct delete_ike_sa_job_t {
/**
* Job checking for inactivity of CHILD_SA to close them.
*
- * The inactivity job reschedules itself to check CHILD_SAs prediodically.
+ * The inactivity job reschedules itself to check CHILD_SAs periodically.
*/
struct inactivity_job_t {
uint32_t unique_id;
/**
- * Whether FWD policieis in the outbound direction should be installed
+ * Whether FWD policies in the outbound direction should be installed
*/
bool policies_fwd_out;
uint32_t (*get_rekey_spi)(child_sa_t *this);
/**
- * Update hosts and ecapulation mode in the kernel SAs and policies.
+ * Update hosts and ecapsulation mode in the kernel SAs and policies.
*
* @param me the new local host
* @param other the new remote host
* responses. An EAP method may need multiple exchanges before succeeding, and
* the eap_authentication may use multiple EAP methods to authenticate a peer.
* To accomplish these requirements, all EAP methods have their own
- * implementation while the eap_authenticatior uses one or more of these
+ * implementation while the eap_authenticator uses one or more of these
* EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
* of the method, the eap_authenticator does this.
* An EAP method may establish a MSK, this is used the complete the
* Constructors for server and peers are identical, to support both roles
* of a EAP method, a plugin needs register two constructors in the
* eap_manager_t.
- * The passed identites are of type ID_EAP and valid only during the
+ * The passed identities are of type ID_EAP and valid only during the
* constructor invocation.
*
* @param server ID of the server to use for credential lookup
uint32_t keepalive_interval;
/**
- * The schedueld keep alive job, if any
+ * The scheduled keep alive job, if any
*/
send_keepalive_job_t *keepalive_job;
* Timing information and statistics to query from an SA
*/
enum statistic_t {
- /** Timestamp of SA establishement */
+ /** Timestamp of SA establishment */
STAT_ESTABLISHED = 0,
/** Timestamp of scheduled rekeying */
STAT_REKEY,
* to the CHILD_SA.
*
* @param child_cfg child config to create CHILD from
- * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
+ * @param reqid reqid to use for CHILD_SA, 0 assign uniquely
* @param tsi source of triggering packet
* @param tsr destination of triggering packet.
* @return
status_t (*reauth) (ike_sa_t *this);
/**
- * Restablish the IKE_SA.
+ * Reestablish the IKE_SA.
*
* Reestablish an IKE_SA after it has been closed.
*
/**
* Remove the task the given enumerator points to.
*
- * @note This should be used with caution, in partciular, for tasks in the
+ * @note This should be used with caution, in particular, for tasks in the
* active and passive queues.
*
* @param enumerator enumerator created with the method above
void (*flush_queue)(ike_sa_t *this, task_queue_t queue);
/**
- * Queue a task for initiaton to the task manager.
+ * Queue a task for initiation to the task manager.
*
* @param task task to queue
*/
* @param ike_version major IKE version
* @param initiator_spi initiators SPI
* @param responder_spi responders SPI
- * @param is_initiaor TRUE if we are the original initiator
+ * @param is_initiator TRUE if we are the original initiator
* @return ike_sa_id_t object
*/
ike_sa_id_t * ike_sa_id_create(uint8_t ike_version, uint64_t initiator_spi,
- uint64_t responder_spi, bool is_initiaor);
+ uint64_t responder_spi, bool is_initiator);
#endif /** IKE_SA_ID_H_ @}*/
* entry as checked out while we release the lock so no other
* thread can acquire it. Since it is not yet in the list of
* connected peers that will not cause a deadlock as no other
- * caller of check_unqiueness() will try to check out this SA */
+ * caller of check_uniqueness() will try to check out this SA */
entry->checked_out = thread_current();
unlock_single_segment(this, segment);
}
else
{
- DBG1(DBG_MGR, "tried to checkin and delete nonexisting IKE_SA");
+ DBG1(DBG_MGR, "tried to checkin and delete nonexistent IKE_SA");
ike_sa->destroy(ike_sa);
}
charon->bus->set_sa(charon->bus, NULL);
*
* @param proposal selected algorithms
* @param dh diffie hellman key, NULL if none used
- * @param spi_i SPI chosen by initiatior
+ * @param spi_i SPI chosen by initiator
* @param spi_r SPI chosen by responder
* @param nonce_i quick mode initiator nonce
* @param nonce_r quick mode responder nonce
/**
* Get HASH data for authentication.
*
- * @param initiatior TRUE to create HASH_I, FALSE for HASH_R
+ * @param initiator TRUE to create HASH_I, FALSE for HASH_R
* @param dh public DH value of peer to create HASH for
* @param dh_other others public DH value
* @param ike_sa_id IKE_SA identifier
};
/**
- * Get the first authentcation config from peer config
+ * Get the first authentication config from peer config
*/
static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local)
{
bool found = FALSE;
/* some peers send DELETE payloads for other IKE_SAs, e.g. those for expired
- * ones after a rekeyeing, make sure the SPIs match */
+ * ones after a rekeying, make sure the SPIs match */
id = this->ike_sa->get_id(this->ike_sa);
payloads = message->create_payload_enumerator(message);
while (payloads->enumerate(payloads, &payload))
status_t result = NEED_MORE;
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))
- { /* we didn't receive VIDs inidcating support for NAT-T */
+ { /* we didn't receive VIDs indicating support for NAT-T */
return SUCCESS;
}
#include <sa/authenticator.h>
/**
- * Implementation of authenticator_t using public key authenitcation.
+ * Implementation of authenticator_t using public key authentication.
*/
struct pubkey_authenticator_t {
connect_manager_t public;
/**
- * Lock for exclusivly accessing the manager.
+ * Lock for exclusively accessing the manager.
*/
mutex_t *mutex;
chunk_t skd;
/**
- * Key to build outging authentication data (SKp)
+ * Key to build outgoing authentication data (SKp)
*/
chunk_t skp_build;
/** sa id of the peer, NULL if offline */
ike_sa_id_t *ike_sa_id;
- /** list of peer ids that reuested this peer */
+ /** list of peer ids that requested this peer */
linked_list_t *requested_by;
};
mediation_manager_t public;
/**
- * Lock for exclusivly accessing the manager.
+ * Lock for exclusively accessing the manager.
*/
mutex_t *mutex;
}
/**
- * Check if strict constraint fullfillment required to continue current auth
+ * Check if strict constraint fulfillment required to continue current auth
*/
static bool require_strict(private_ike_auth_t *this, bool mutual_eap)
{
}
/**
- * Check if this delete happened after a rekey collsion
+ * Check if this delete happened after a rekey collision
*/
static bool after_rekey_collision(private_ike_delete_t *this)
{
if (this->callback)
{
/* we got a callback from the mediation server, initiate the
- * queued mediated connecction */
+ * queued mediated connection */
charon->connect_manager->check_and_initiate(
charon->connect_manager,
this->ike_sa->get_id(this->ike_sa),
/* source may be any, we have 3 possibilities to get our source address:
* 1. It is defined in the config => use the one of the IKE_SA
* 2. We do a routing lookup in the kernel interface
- * 3. Include all possbile addresses
+ * 3. Include all possible addresses
*/
host = message->get_source(message);
if (!host->is_anyaddr(host) || force_encap(ike_cfg))
* If a message is processed outside of the manager, this call increments
* the message ID counters of the task manager.
*
- * @param inititate TRUE to increment the initiating ID
+ * @param initiate TRUE to increment the initiating ID
*/
void (*incr_mid)(task_manager_t *this, bool initiate);
/**
* Remove the task the given enumerator points to.
*
- * @note This should be used with caution, in partciular, for tasks in the
+ * @note This should be used with caution, in particular, for tasks in the
* active and passive queues.
*
* @param enumerator enumerator created with the method above
{
if (!expected)
{
- ck_assert_msg(!host, "not epxecting IP != %+H", host);
+ ck_assert_msg(!host, "not expecting IP != %+H", host);
}
else
{
payload_type_t payload;
/**
- * Notify type to expect/not expect (paylod type does not have to be
+ * Notify type to expect/not expect (payload type does not have to be
* specified)
*/
notify_type_t notify;
/**
* Set the initial byte of all nonces generated by future nonce
- * generators (already instatiated nonce generators are not affected).
+ * generators (already instantiated nonce generators are not affected).
*/
u_char nonce_first_byte;
mutex_t *mutex;
/**
- * Hahstable with active sessions
+ * Hashtable with active sessions
*/
hashtable_t *sessions;
* server-push functionality.
*
* @param format printf like format string
- * @param ... argmuent list to format string
+ * @param ... argument list to format string
* @return number of streamed bytes, < 0 if stream closed
*/
int (*streamf)(fast_request_t *this, char *format, ...);
*/
/**
- * @defgroup ietf_attr_assess_resultt ietf_attr_assess_result
+ * @defgroup ietf_attr_assess_result ietf_attr_assess_result
* @{ @ingroup ietf_attr
*/
*/
/**
- * @defgroup ietf_attr_attr_requestt ietf_attr_attr_request
+ * @defgroup ietf_attr_attr_request ietf_attr_attr_request
* @{ @ingroup ietf_attr
*/
*/
/**
- * @defgroup ietf_attr_installed_packagest ietf_attr_installed_packages
+ * @defgroup ietf_attr_installed_packages ietf_attr_installed_packages
* @{ @ingroup ietf_attr
*/
*/
/**
- * @defgroup ietf_attr_numeric_versiont ietf_attr_numeric_version
+ * @defgroup ietf_attr_numeric_version ietf_attr_numeric_version
* @{ @ingroup ietf_attr
*/
* Gets the Major and Minor Numbers of the Service Pack
*
* @param major Service Pack Major Number
- * @param minor Servcie Pack Minor Number
+ * @param minor Service Pack Minor Number
*/
void (*get_service_pack)(ietf_attr_numeric_version_t *this,
uint16_t *major, uint16_t *minor);
/**
* Creates an ietf_attr_pa_tnc_error_t object from an error code with offset
*
- * @param error_code Vendor-specifica PA-TNC error code
+ * @param error_code Vendor-specific PA-TNC error code
* @param header PA-TNC message header (first 8 bytes)
* @param error_offset PA-TNC error offset in bytes
*
*/
/**
- * @defgroup ietf_attr_port_filtert ietf_attr_port_filter
+ * @defgroup ietf_attr_port_filter ietf_attr_port_filter
* @{ @ingroup ietf_attr
*/
*/
/**
- * @defgroup ietf_attr_string_versiont ietf_attr_string_version
+ * @defgroup ietf_attr_string_version ietf_attr_string_version
* @{ @ingroup ietf_attr
*/
* Set result string
*
* @param result Result string
- * @return Action Recommendatino
+ * @return Action Recommendation
*/
TNC_IMV_Action_Recommendation (*get_result)(imv_workitem_t *this,
char **result);
swima_inventory_t *targets;
/**
- * Retrieve SW Identifieres only
+ * Retrieve SW Identifiers only
*/
bool sw_id_only;
*
* @param qualifier PTS Component Functional Name Qualifier
* @param pts PTS interface
- * @param evidence returns component evidence measureemt
+ * @param evidence returns component evidence measurement
* @param measurements additional file measurements (NULL if not present)
* @return status return code
*/
char *qualifier_flag_names;
/**
- * Vendor-specific size of Qualfiier Type field
+ * Vendor-specific size of Qualifier Type field
*/
int qualifier_type_size;
certificate_t *aik_cert;
/**
- * Primary key referening AIK in database
+ * Primary key referencing AIK in database
*/
int aik_id;
/**
* Create a PTS IMA runtime file measurement object
*
- * @param file Pathname pointing to the IMA runtme measurements
+ * @param file Pathname pointing to the IMA runtime measurements
*/
pts_ima_event_list_t* pts_ima_event_list_create(char *file);
(int)os_version.len, os_version.ptr, (int)os_arch.len,
os_arch.ptr) == -1)
{
- DBG1(DBG_IMC, "constructon of OS string failed");
+ DBG1(DBG_IMC, "construction of OS string failed");
destroy(this);
return NULL;
}
os_name.ptr, (int)os_version.len, os_version.ptr,
(int)os_arch.len, os_arch.ptr) == -1)
{
- DBG1(DBG_IMC, "constructon of product string failed");
+ DBG1(DBG_IMC, "construction of product string failed");
destroy(this);
return NULL;
}
}
if (!this->db)
{
- /* Set the event ID epoch and last event ID smanually */
+ /* Set the event ID epoch and last event ID manually */
eid_epoch = lib->settings->get_int(lib->settings,
"%s.plugins.imc-swima.eid_epoch",
eid_epoch, lib->ns);
* Creates a swima_record_t object
*
* @param record_id Record ID
- * @param sw_id Software Identifierl
+ * @param sw_id Software Identifier
* @param sw_locator Software Locator or empty chunk
*/
swima_record_t* swima_record_create(uint32_t record_id, chunk_t sw_id,
pa_tnc_attr_t pa_tnc_attribute;
/**
- * Get PTS procol capabilities flags
+ * Get PTS protocol capabilities flags
*
* @return set of flags
*/
if (!reader->read_data32(reader, "e_sig))
{
DBG1(DBG_TNC, "insufficient data for PTS Simple Evidence Final "
- "TPM Quote Singature");
+ "TPM Quote Signature");
goto end;
}
this->quote_sig = chunk_clone(quote_sig);
* @param direction traffic direction
* @param reqid reqid of the policy
* @param mark mark for this policy
- * @param prioirty policy priority
+ * @param priority policy priority
* @return TRUE if policy matches all parameters
*/
bool (*match)(ipsec_policy_t *this, traffic_selector_t *src_ts,
sa = ipsec->sas->checkout_by_reqid(ipsec->sas, policy->get_reqid(policy),
FALSE);
if (!sa)
- { /* TODO-IPSEC: send an acquire to uppper layer */
+ { /* TODO-IPSEC: send an acquire to upper layer */
DBG1(DBG_ESP, "could not find an outbound IPsec SA for reqid {%u}, "
"dropping packet", policy->get_reqid(policy));
packet->destroy(packet);
* Create a pt_tls_client instance.
*
* The client identity is used for:
- * - TLS authentication if an appropirate certificate is found
+ * - TLS authentication if an appropriate certificate is found
* - SASL authentication if requested from the server
*
* @param address address/port to run assessments against, gets owned
#include <library.h>
/**
- * Constructor function for SASL mechansims.
+ * Constructor function for SASL mechanism.
*
* @param name name of the requested SASL mechanism
* @param client client identity, NULL to act as server
struct rattr_t {
/** attribute type, radius_attribute_type_t */
uint8_t type;
- /** length of the attriubte, including the Type, Length and Value fields */
+ /** length of the attribute, including the Type, Length and Value fields */
uint8_t length;
/** variable length attribute value */
uint8_t value[];
char kc[SIM_KC_LEN]);
/**
- * Calculate AKA quitpulets on one of the registered SIM cards.
+ * Calculate AKA quintuplets on one of the registered SIM cards.
*
* @param id permanent identity to request quintuplet for
* @param rand random value rand
/**
* Pass AKA resynchronization data to one of the registered providers.
*
- * @param id permanent identity of peer requesting resynchronisation
+ * @param id permanent identity of peer requesting resynchronization
* @param rand random value rand
* @param auts synchronization parameter auts
* @return TRUE if resynchronized, FALSE if not handled
char autn[AKA_AUTN_LEN]);
/**
- * Process AKA resynchroniusation request of a peer.
+ * Process AKA resynchronization request of a peer.
*
- * @param id permanent identity of peer requesting resynchronisation
+ * @param id permanent identity of peer requesting resynchronization
* @param rand random value rand
* @param auts synchronization parameter auts
* @return TRUE if resynchronized successfully
identification_t *id);
/**
- * Generate a pseudonym identitiy for a given peer identity.
+ * Generate a pseudonym identity for a given peer identity.
*
* @param id permanent identity to generate a pseudonym for
* @return generated pseudonym, NULL to not use a pseudonym identity
/**
* Create an enumerator over an array.
*
- * The enumerater enumerates directly over the array element (pass a pointer to
+ * The enumerator enumerates directly over the array element (pass a pointer to
* element types), unless the array is pointer based. If zero is passed as
* element size during construction, the enumerator enumerates over the
* dereferenced pointer values.
* Creates an enumerator which enumerates over enumerated enumerators :-).
*
* The outer enumerator is expected to return objects that, when passed to
- * inner_contructor, will create a new enumerator that will be enumerated until
+ * inner_constructor, will create a new enumerator that will be enumerated until
* completion (to this enumerator will the pointer arguments that are passed to
* this enumerator be forwarded) at which point a new element from the outer
* enumerator is requested to create a new inner enumerator.
* entry, otherwise NULL is returned.
*
* Compared to get() the given match function is used to compare the keys
- * for equality. The hash function does have to be deviced properly in
+ * for equality. The hash function does have to be devised properly in
* order to make this work if the match function compares keys differently
* than the equals function provided to the constructor. This basically
* allows to enumerate all entries with the same hash value.
*
* If this function returns SUCCESS or FAILED, the certificate lifetime is
* considered definitely (in-)valid, without asking other validators.
- * If all registered validaters return NEED_MORE, the default
+ * If all registered validators return NEED_MORE, the default
* lifetime check is performed.
*
* @param cert certificate to check lifetime
VALIDATION_STALE,
/** validation failed due to a processing error */
VALIDATION_FAILED,
- /** certificate is on hold (i.e. temporary revokation) */
+ /** certificate is on hold (i.e. temporary revocation) */
VALIDATION_ON_HOLD,
/** certificate has been revoked */
VALIDATION_REVOKED,
* Get the encoding of the full signed/encrypted container.
*
* @param data allocated container encoding
- * @return TRUE if encodign successful
+ * @return TRUE if encoding successful
*/
bool (*get_encoding)(container_t *this, chunk_t *encoding);
enumerator = create_cert_enumerator(this, cert, key, id, trusted);
if (enumerator->enumerate(enumerator, ¤t))
{
- /* TODO: best match? order by keyid, subject, sualtname */
+ /* TODO: best match? order by keyid, subject, subjectAltName */
found = current->get_ref(current);
}
enumerator->destroy(enumerator);
};
/**
- * Generic private key equals() implementation, usable by implementors.
+ * Generic private key equals() implementation, usable by implementers.
*
* @param private private key to check
* @param other key to compare
bool private_key_equals(private_key_t *private, private_key_t *other);
/**
- * Generic private key belongs_to() implementation, usable by implementors.
+ * Generic private key belongs_to() implementation, usable by implementers.
*
* @param private private key to check
* @param public public key to compare
bool private_key_belongs_to(private_key_t *private, public_key_t *public);
/**
- * Generic private key has_fingerprint() implementation, usable by implementors.
+ * Generic private key has_fingerprint() implementation, usable by implementers.
*
* @param private private key to check
* @param fingerprint fingerprint to check
};
/**
- * Generic public key equals() implementation, usable by implementors.
+ * Generic public key equals() implementation, usable by implementers.
*
* @param public public key to check
* @param other key to compare
bool public_key_equals(public_key_t *public, public_key_t *other);
/**
- * Generic public key has_fingerprint() implementation, usable by implementors.
+ * Generic public key has_fingerprint() implementation, usable by implementers.
*
* @param public public key to check
* @param fingerprint fingerprint to check
id_match_t *match_me, id_match_t *match_other);
/**
- * Generic callbcack using user specified callback functions.
+ * Generic callback using user specified callback functions.
*/
struct callback_cred_t {
*
* The length of the iv must equal to get_iv_size(), while the length
* of data must be a multiple of get_block_size().
- * If decrpyted is NULL, the encryption is done in-place (overwriting data).
+ * If decrypted is NULL, the encryption is done in-place (overwriting data).
*
* @param data data to decrypt
* @param iv initializing vector
*
* @param group group to test
* @param create constructor function for the DH backend
- * @param speed speeed test result, NULL to omit
+ * @param speed speed test result, NULL to omit
* @return TRUE if test passed
*/
bool (*test_dh)(crypto_tester_t *this, diffie_hellman_group_t group,
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the "GNU General Public License as published by the
- * Free Software Foundatio"n; either version 2 of the License, or (at your
+ * Free Software Foundation; either version 2 of the License, or (at your
* option) any later version". See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
/**
* Creates a new prf_plus_t object.
*
- * @param prf prf object to use, must be destroyd after prf+.
+ * @param prf prf object to use, must be destroyed after prf+.
* @param counter use an appending counter byte (for IKEv2 variant)
* @param seed input seed for prf
* @return prf_plus_t object, NULL on failure
*/
/**
- * @defgroup databasei database
+ * @defgroup database_t database
* @{ @ingroup database
*/
*
* @note Either commit() or rollback() has to be called to end the
* transaction.
- * @note Transactions are thread-specific. So commit()/rollbak() has to be
+ * @note Transactions are thread-specific. So commit()/rollback() has to be
* called from the same thread.
* @note While this method can be called multiple times (commit/rollback
* have to be called an equal number of times) real nested transactions are
#define MAX_NAMESPACES 5
/**
- * Additional namespaces registered using __atrribute__((constructor))
+ * Additional namespaces registered using __attribute__((constructor))
*/
static char *namespaces[MAX_NAMESPACES];
static int ns_count;
#include <sys/types.h>
/**
- * Representates a Host
+ * Represents a Host
*
* Host object, identifies a address:port pair and defines some
* useful functions on it.
#define nc (AES_BLOCK_SIZE/4)
-// Initialise the key schedule from the user supplied key. The key
+// Initialize the key schedule from the user supplied key. The key
// length is now specified in bytes - 16, 24 or 32 as appropriate.
// This corresponds to bit lengths of 128, 192 and 256 bits, and
// to Nk values of 4, 6 and 8 respectively.
typedef struct bliss_plugin_t bliss_plugin_t;
/**
- * Plugin implementing the BLISS post-quantu authentication algorithm
+ * Plugin implementing the BLISS post-quantum authentication algorithm
*/
struct bliss_plugin_t {
/* We derive the public key from the private key using the FFT */
fft = ntt_fft_create(set->fft_params);
- /* Some vectors needed to derive the publi key */
+ /* Some vectors needed to derive the public key */
S1 = malloc(n * sizeof(uint32_t));
S2 = malloc(n * sizeof(uint32_t));
a = malloc(n * sizeof(uint32_t));
chunk_t (*get_encoding)(bliss_signature_t *this);
/**
- * Get signature parameters extracted from compressd binary encoding
+ * Get signature parameters extracted from compressed binary encoding
*
* @param z1 signature vector z1 of size n
* @param z2d signature vector z2d of size n
typedef struct hmac_plugin_t hmac_plugin_t;
/**
- * Plugin implementing HMAC algorithm to prvoide hash based PRF and signers.
+ * Plugin implementing HMAC algorithm to provide hash based PRF and signers.
*/
struct hmac_plugin_t {
typedef struct private_md4_hasher_t private_md4_hasher_t;
/**
- * Private data structure with hasing context.
+ * Private data structure with hashing context.
*/
struct private_md4_hasher_t {
/**
typedef struct private_md5_hasher_t private_md5_hasher_t;
/**
- * Private data structure with hasing context.
+ * Private data structure with hashing context.
*/
struct private_md5_hasher_t {
/**
typedef struct mysql_database_t mysql_database_t;
/**
- * MySQL databse_t implementation.
+ * MySQL database_t implementation.
*/
struct mysql_database_t {
*
* @param nonce Nonce determining the pseudo random stream
* @param n Number of pseudo random bytes to be returned
- * @return Return array with n peudo random bytes
+ * @return Return array with n pseudo random bytes
*/
uint8_t* (*get_uniform_bytes)(newhope_noise_t *this, uint8_t nonce,
uint16_t n);
0x27, /* DER id */
10, /* no. of bits in N (i.e., in an index) */
613, /* N */
- 16, /* securuity strength in octets */
+ 16, /* security strength in octets */
2048, /* q */
11, /* no. of bits in q (i.e., in a coeff) */
FALSE, /* product form */
bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash);
/**
- * Concatenates two bignums into a chunk, thereby enfocing the length of
+ * Concatenates two bignums into a chunk, thereby enforcing the length of
* a single BIGNUM, if necessary, by pre-pending it with zeros.
*
* Note: this function allocates memory for the chunk
}
/**
- * parse an extionsion containing GENERAL_NAMES into a list
+ * parse an extension containing GENERAL_NAMES into a list
*/
static bool parse_generalNames_ext(linked_list_t *list,
X509_EXTENSION *ext)
}
if (flags & X509v3_KU_KEY_CERT_SIGN)
{
- /* we use the caBasicContraint, MUST be set */
+ /* we use the caBasicConstraint, MUST be set */
}
}
ASN1_BIT_STRING_free(usage);
typedef struct private_padlock_sha1_hasher_t private_padlock_sha1_hasher_t;
/**
- * Private data structure with hasing context.
+ * Private data structure with hashing context.
*/
struct private_padlock_sha1_hasher_t {
/**
}
if (cred_encoding_args(args, CRED_PART_PKCS10_ASN1_DER,
&asn1, CRED_PART_END))
- { /* PEM encode PKCS10 certificate reqeuest */
+ { /* PEM encode PKCS10 certificate request */
label = "CERTIFICATE REQUEST";
break;
}
*
* @param blob blob to read from, gets advanced
* @param bytes number of bytes the scalar uses for encoding
- * @param scalar resultin scalar
+ * @param scalar resulting scalar
* @return TRUE if scalar parsed successfully
*/
bool pgp_read_scalar(chunk_t *blob, size_t bytes, uint32_t *scalar);
unsigned char *operation_state,
unsigned long operation_state_len,
ck_object_handle_t encryption_key,
- ck_object_handle_t authentiation_key));
+ ck_object_handle_t authentication_key));
_CK_DECLARE_FUNCTION (C_Login,
(ck_session_handle_t session, ck_user_type_t user_type,
unsigned char *pin, unsigned long pin_len));
pkcs11_library_t *lib;
/**
- * Session handle for this objct
+ * Session handle for this object
*/
CK_SESSION_HANDLE session;
}
/**
- * CKA_EC_POINT is encodeed as ASN.1 octet string, we can't handle that and
+ * CKA_EC_POINT is encoded as ASN.1 octet string, we can't handle that and
* some tokens actually return them even unwrapped.
*
* Because ASN1_OCTET_STRING is 0x04 and uncompressed EC_POINTs also begin with
/**
* Try to reload plugin configuration.
*
- * @return TRUE if reloaded, FALSE if reloading not supporty by plugin
+ * @return TRUE if reloaded, FALSE if reloading not supported by plugin
*/
bool (*reload)(plugin_t *this);
typedef struct private_sha1_hasher_t private_sha1_hasher_t;
/**
- * Private data structure with hasing context.
+ * Private data structure with hashing context.
*/
struct private_sha1_hasher_t {
/**
typedef struct private_sha1_hasher_t private_sha1_hasher_t;
/**
- * Private data structure with hasing context.
+ * Private data structure with hashing context.
*/
struct private_sha1_hasher_t {
/**
typedef struct private_sha512_hasher_t private_sha512_hasher_t;
/**
- * Private data structure with hasing context for SHA384 and SHA512
+ * Private data structure with hashing context for SHA384 and SHA512
*/
struct private_sha512_hasher_t {
/**
typedef struct private_sha256_hasher_t private_sha256_hasher_t;
/**
- * Private data structure with hasing context for SHA256
+ * Private data structure with hashing context for SHA256
*/
struct private_sha256_hasher_t {
/**
/**
* Check if the SQLite library is thread safe
*/
-static bool is_threadsave()
+static bool is_threadsafe()
{
#if SQLITE_VERSION_NUMBER >= 3005000
return sqlite3_threadsafe() > 0;
sqlite_enumerator_t *this)
{
sqlite3_finalize(this->stmt);
- if (!is_threadsave())
+ if (!is_threadsafe())
{
this->database->mutex->unlock(this->database->mutex);
}
sqlite_enumerator_t *enumerator = NULL;
int i;
- if (!is_threadsave())
+ if (!is_threadsafe())
{
this->mutex->lock(this->mutex);
}
typedef struct sqlite_database_t sqlite_database_t;
/**
- * sqlite databse_t implementation.
+ * sqlite database_t implementation.
*/
struct sqlite_database_t {
bool wolfssl_mp_split(chunk_t chunk, mp_int *a, mp_int *b);
/**
- * Concatenates two integers into a chunk, thereby enfocing the length of
+ * Concatenates two integers into a chunk, thereby enforcing the length of
* a single integer, if necessary, by pre-pending it with zeros.
*
* Note: this function allocates memory for the chunk
linked_list_t *permitted_names;
/**
- * List of exluced name constraints
+ * List of excluded name constraints
*/
linked_list_t *excluded_names;
chunk_t encoding;
/**
- * data for signature verficiation
+ * data for signature verification
*/
chunk_t tbsResponseData;
};
/**
- * Comparse two timevals, return >0 if a > b, <0 if a < b and =0 if equal
+ * Compares two timevals, return >0 if a > b, <0 if a < b and =0 if equal
*/
static int timeval_cmp(timeval_t *a, timeval_t *b)
{
*/
/**
- * @defgroup resolveri resolver
+ * @defgroup resolver_t resolver
* @{ @ingroup resolver
*/
ck_assert(!expected[i]);
}
-START_TEST(test_sig_contraints)
+START_TEST(test_sig_constraints)
{
auth_cfg_t *cfg;
signature_scheme_t none[] = {0};
}
END_TEST
-START_TEST(test_ike_contraints_fallback)
+START_TEST(test_ike_constraints_fallback)
{
auth_cfg_t *cfg;
ck_assert(!scheme[i]);
}
-START_TEST(test_sig_contraints_params)
+START_TEST(test_sig_constraints_params)
{
auth_cfg_t *cfg;
{ .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, {}}},
};
-START_TEST(test_sig_contraints_rsa_pss)
+START_TEST(test_sig_constraints_rsa_pss)
{
auth_cfg_t *cfg;
s = suite_create("auth_cfg");
tc = tcase_create("add_pubkey_constraints");
- tcase_add_loop_test(tc, test_sig_contraints, 0, countof(sig_constraints_tests));
- tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests));
+ tcase_add_loop_test(tc, test_sig_constraints, 0, countof(sig_constraints_tests));
+ tcase_add_loop_test(tc, test_ike_constraints_fallback, 0, countof(sig_constraints_tests));
suite_add_tcase(s, tc);
tc = tcase_create("add_pubkey_constraints parameters");
- tcase_add_loop_test(tc, test_sig_contraints_params, 0, countof(sig_constraints_params_tests));
- tcase_add_loop_test(tc, test_sig_contraints_rsa_pss, 0, countof(sig_constraints_rsa_pss_tests));
+ tcase_add_loop_test(tc, test_sig_constraints_params, 0, countof(sig_constraints_params_tests));
+ tcase_add_loop_test(tc, test_sig_constraints_rsa_pss, 0, countof(sig_constraints_rsa_pss_tests));
suite_add_tcase(s, tc);
return s;
static void *cancel_run(void *data)
{
- /* default cancellability should be TRUE, so don't change it */
+ /* default cancelability should be TRUE, so don't change it */
while (TRUE)
{
sleep(10);
}
for (i = 0; i < THREADS; i++)
{
- /* wait until thread has cleared its cancellability */
+ /* wait until thread has cleared its cancelability */
while (cancellable[i])
{
sched_yield();
thread_cancelability(FALSE);
while (TRUE)
{
- /* implicitly enables cancellability */
+ /* implicitly enables cancelability */
thread_cancellation_point();
}
return NULL;
END_TEST
/*******************************************************************************
- * mallac_align/free_align
+ * malloc_align/free_align
*/
START_TEST(test_malloc_align)
/**
* Do not report mutexes with an overall waiting time smaller than this (in us)
*/
-#define PROFILE_WAIT_TRESHHOLD 10000
+#define PROFILE_WAIT_TRESHOLD 10000
/**
* Do not report mutexes with an overall lock count smaller than this
*/
-#define PROFILE_LOCK_TRESHHOLD 1000
+#define PROFILE_LOCK_TRESHOLD 1000
#include <utils/backtrace.h>
static inline void profiler_cleanup(lock_profile_t *profile)
{
if (profile->waited.tv_sec > 0 ||
- profile->waited.tv_usec > PROFILE_WAIT_TRESHHOLD ||
- profile->locked > PROFILE_LOCK_TRESHHOLD)
+ profile->waited.tv_usec > PROFILE_WAIT_TRESHOLD ||
+ profile->locked > PROFILE_LOCK_TRESHOLD)
{
fprintf(stderr, "%d.%03ds / %d times in lock created at:",
profile->waited.tv_sec, profile->waited.tv_usec, profile->locked);
pthread_mutex_t mutex;
/**
- * is this a recursiv emutex, implementing private_r_mutex_t?
+ * is this a recursive mutex, implementing private_r_mutex_t?
*/
bool recursive;
thread_t public;
/**
- * Identificator of this thread (human-readable/thread ID).
+ * Identifier of this thread (human-readable/thread ID).
*/
u_int id;
*
* @param chunk chunk to check for printability
* @param sane pointer where sane version is allocated, or NULL
- * @param replace character to use for replaceing unprintable characters
+ * @param replace character to use for replacing unprintable characters
* @return TRUE if all characters in chunk are printable
*/
bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace);
NULL, { __VA_ARGS__ }}
/**
- * Continue a enum name list startetd with ENUM_BEGIN.
+ * Continue a enum name list started with ENUM_BEGIN.
*
* @param name name of the enum_name list
* @param first enum value of the first enum string
* is interpreted as hex encoded binary data for that ID, otherwise the raw
* string following the prefix is used as identity data, without conversion.
* To specify a non-standard ID type, the numerical type may be prefixed
- * between curly backets, building a prefix. For instance the "{1}:" prefix
+ * between curly brackets, building a prefix. For instance the "{1}:" prefix
* defines an ID_IPV4_ADDR type.
*
* This constructor never returns NULL. If it does not find a suitable
}
enumerator->destroy(enumerator);
- /* we have reache the final state */
+ /* we have reached the final state */
this->delete_state = TRUE;
}
}
/*
- * Copyright (C) 2010 Sansar Choinyanbuu
+ * Copyright (C) 2010 Sansar Choinyambuu
* Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
/*
- * Copyright (C) 2010 Sansar Choinyanbuu
+ * Copyright (C) 2010 Sansar Choinyambuu
* Copyright (C) 2010 Andreas Steffen
*
* HSR Hochschule fuer Technik Rapperswil
/*
- * Copyright (C) 2010 Sansar Choinyanbuu
+ * Copyright (C) 2010 Sansar Choinyambuu
* Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
/**
* Create an empty TNC Identity object
*
- * @param rec Existing recommendationto be updated
+ * @param rec Existing recommendation to be updated
* @param rec_add Partial recommendation to be added
* @return Updated recommendation
*/
chunk_t (*get_pcr_digest)(tpm_tss_quote_info_t *this);
/**
- * Get TPM Quote Info digest, the basis of the TPM Quote Singature
+ * Get TPM Quote Info digest, the basis of the TPM Quote Signature
*
* @param nonce Derived from the Diffie-Hellman exchange
* @param composite PCR Composite as computed by IMV
/**
* Get TPM 2.0 version info (needed for TPM 2.0)
*
- * @return TPM 2.0 firmwareVersioin
+ * @return TPM 2.0 firmwareVersion
*/
chunk_t (*get_version_info)(tpm_tss_quote_info_t *this);
#include <credentials/certificates/certificate.h>
/**
- * Create a self-signed PKCS#10 certificate requesst.
+ * Create a self-signed PKCS#10 certificate request.
*/
static int req()
{
--add dns --server 10.1.0.1\n\
--add dns --server 10.1.1.1\n\
If a - (hyphen) is given as a file name, the commands are read\n\
- from STDIN. Readin commands stops at the end of file. Empty\n\
+ from STDIN. Reading commands stops at the end of file. Empty\n\
lines are ignored. The file may not contain a --batch command.\n\
\n");
}
.IP "\fBcamellia128\fP" 12
Camellia-CBC encryption (key size = 128 bit).
.IP "\fBcamellia192\fP" 12
-Camelllia-CBC encryption (key size = 192 bit).
+Camellia-CBC encryption (key size = 192 bit).
.IP "\fBcamellia256\fP" 12
Camellia-CBC encryption (key size = 256 bit).
.PP
/**
* @brief prints the usage of the program to the stderr output
*
- * If message is set, program is exitet with 1 (error)
+ * If message is set, program is exited with 1 (error)
* @param message message in case of an error
*/
static void usage(const char *message)
DPD_ACTION_CLEAR,
DPD_ACTION_HOLD,
DPD_ACTION_RESTART,
- DPD_ACTION_UNKNOW,
+ DPD_ACTION_UNKNOWN,
} dpd_action_t;
typedef enum {
%%
-^[\t ]*"version"[^\n]*$ /* eat legacy version delcaration */
+^[\t ]*"version"[^\n]*$ /* eat legacy version declaration */
^[\t ]+ return SPACES;
[\t ]+ /* eat other whitespace */
[\t ]*#[^\n]* /* eat comments */
/**
* List all endpoint software identifiers stored in local collector database
- * that are not registered yet in central collelector database
+ * that are not registered yet in central collector database
*/
static int unregistered_identifiers(sw_collector_db_t *db,
sw_collector_db_query_t type)
}
/**
- * Translate sletting key/values from a section enumerator into vici
+ * Translate setting key/values from a section enumerator into vici
* key-values/lists. Destroys the enumerator.
*/
static bool add_key_values(vici_req_t *req, enumerator_t *enumerator)
/*
- * Copyright (C) 2015 Andreas Stefffen
+ * Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
}
/**
- * Load certficiates from a directory
+ * Load certificates from a directory
*/
static void load_certs(load_ctx_t *ctx, char *type_str, char *dir)
{
# running in the background
### END INIT INFO
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+# Author: Andreas Steffen <andreas.steffen@strongswan.org>
#
# Do NOT "set -e"
# strongSwan Attribute Authority #
################################################################################
-# Generate Attritbute Authority certificate
+# Generate Attribute Authority certificate
TEST="${TEST_DIR}/ikev2/acert-cached"
TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey.pem"
TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert.pem"
cp ${ACERT_CS} ${TEST}/hosts/carol/${IPSEC_DIR}/acerts
cp ${ACERT_DM} ${TEST}/hosts/dave/${IPSEC_DIR}/acerts
-# Generate a short-lived Attritbute Authority certificate
+# Generate a short-lived Attribute Authority certificate
CN="strongSwan Legacy AA"
TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/aaKey-expired.pem"
TEST_CERT="${TEST}/hosts/moon/${IPSEC_DIR}/aacerts/aaCert-expired.pem"
to the virtual gateway <b>mars</b> implemented by the two real gateways
<b>alice</b> and <b>moon</b> in a <b>High Availability</b> (HA) setup
based on <b>ClusterIP</b>. The HA synchronisation link between the two
-gatways is secured by an IPsec transport connection. At the outset
+gateways is secured by an IPsec transport connection. At the outset
<b>alice</b> is the active and <b>moon</b> is the passive gateway.
After <b>alice</b> gets killed <b>moon</b> automatically takes over
all existing IKE_SAs and CHILD_SAs.
The roadwarrior <b>alice</b> is sitting behind the NAT router <b>moon</b> but
-at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+at the outset of the scenario is also directly connected to the 192.168.0.0/24 network
via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change
The roadwarrior <b>alice</b> is sitting behind the router <b>moon</b> but
-at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+at the outset of the scenario is also directly connected to the 192.168.0.0/24 network
via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change
The roadwarrior <b>alice</b> is sitting behind the router <b>moon</b> but
-at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+at the outset of the scenario is also directly connected to the 192.168.0.0/24 network
via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change
connection setup succeeds, although the certificate status is unknown.
</p>
<p>
-The roadwarrrior <b>dave</b> has a certificate from the Sales CA which contains
+The roadwarrior <b>dave</b> has a certificate from the Sales CA which contains
a single OCSP URI but which is not resolvable. Thus because of the known URI
a strict CRL policy is enforced and the unknown certificate status causes the
connection setup to fail.
This scenario tests <b>repeated authentication</b> according to RFC 4478.
-The iniator <b>carol</b> sets a large <b>ikelifetime=20m</b> but the responder
+The initiator <b>carol</b> sets a large <b>ikelifetime=20m</b> but the responder
<b>moon</b> defining a much shorter <b>ikelifetime=30s</b> proposes this
value via an AUTH_LIFETIME notification to the initiator. Thus the
IKE reauthentication takes places after less than 30s. A ping from
This scenario tests <b>repeated authentication</b> according to RFC 4478.
-The iniator <b>carol</b> sets a short <b>ikelifetime=20m</b> but the responder
+The initiator <b>carol</b> sets a short <b>ikelifetime=20m</b> but the responder
<b>moon</b> defining a much larger <b>ikelifetime=30s</b> proposes this
-value via an AUTH_LIFETIME notification to the initiator. The initatior
+value via an AUTH_LIFETIME notification to the initiator. The initiator
ignores this notification and schedules the IKE reauthentication within
the shorter interval of 30s. A ping from <b>carol</b> to client <b>alice</b>
hiding in the subnet behind <b>moon</b> tests if the CHILD_SA has been
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*CN=moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*CN=moon.strongswan.org.*dave@stronswan.org::NO
+moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*CN=moon.strongswan.org.*dave@strongswan.org::NO
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*CN=moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moon.strongswan.org::NO
moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@stronswan.org::NO
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
<b>local_ts</b> and <b>remote_ts</b> child parameters, three IPsec tunnels
between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are defined.
The first CHILD_SA is restricted to ICMP request packets, the second
-covers ICMP reply pachets and the third TCP-based FTP and SSH connections.
+covers ICMP reply packets and the third TCP-based FTP and SSH connections.
The established tunnels are tested by <b>carol</b> by first pinging <b>alice</b>
behind <b>moon</b> and then setting up an SSH session to the same client.
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
At the outset the gateway authenticates itself to the clients by sending
an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-The roadwarrios then use the <i>Extensible Authentication Protocol</i>
+The roadwarriors then use the <i>Extensible Authentication Protocol</i>
in association with an <i>MD5</i> challenge and response protocol
(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b> and includes
a <b>Postquantum Preshared Key (PPK)</b> that's also mixed into the
projects / thirdparty / strongswan.git / commitdiff
