------------------------------------------------------------------------
r630 | mgrooms | 2009-07-13 04:24:12 +0000 (Mon, 13 Jul 2009) | 9 lines
Correct a regression in iked that caused negotiations with Checkpoint
VPN-1 gateways to fail. While here, clean up a bit of checkpoint xauth
handling related to CHAP based authentication.
Rework a few functions that are used to support RSA based certificate
authentication. When a gateway sends more than one certificate during
phase1, we need to determine which certificate is the leaf certificate
being used to generate the signature for authentication. It would be
good if we could just match the remote ID to the subject name in the
certificate, but many gateways support non ASN1 DN based identities with
certificate authentication. Instead, we attempt to build a certificate
chain by examining the certificate list sent. We search for a
certificate that was not used to sign any other received certificate and
use its public key to perform authentication. This method was tested
with several Cisco, Checkpoint and ipsec-tools gateways. Many thanks to
Daniel Sabanes Bove who identified and reported this and other issues.
Correct a potential buffer overflow issue related to extracting a human
readable RSA key subject used in debug level output.
Increase the maximum packet length from 4k to 8k. This is neccessary to
support large certificate chains.
Perform some cleanup related to libip fragment handling and re-assembly.
This should cause no change in functionality.
------------------------------------------------------------------------