strongswan.git
8 years agoSyntax error in sqlite.sql fixed.
Tobias Brunner [Fri, 4 Nov 2011 13:37:22 +0000 (14:37 +0100)]
Syntax error in sqlite.sql fixed.

8 years agoSome Android NEWS added.
Tobias Brunner [Fri, 4 Nov 2011 11:24:16 +0000 (12:24 +0100)]
Some Android NEWS added.

8 years agoDon't build pluto and starter by default on Android.
Tobias Brunner [Fri, 4 Nov 2011 11:20:21 +0000 (12:20 +0100)]
Don't build pluto and starter by default on Android.

8 years agoif available link libsimaka to checksum_builder
Andreas Steffen [Fri, 4 Nov 2011 10:27:05 +0000 (11:27 +0100)]
if available link libsimaka to checksum_builder

8 years agouse the correct USE_SIMAKA conditional
Andreas Steffen [Fri, 4 Nov 2011 07:38:09 +0000 (08:38 +0100)]
use the correct USE_SIMAKA conditional

8 years agoadded integrity test to rw-eap-sim-rsa and rw-eap-aka-rsa scenarios
Andreas Steffen [Fri, 4 Nov 2011 07:35:33 +0000 (08:35 +0100)]
added integrity test to rw-eap-sim-rsa and rw-eap-aka-rsa scenarios

8 years agofixed integrity tests of plugins using libsimaka
Andreas Steffen [Thu, 3 Nov 2011 21:04:36 +0000 (22:04 +0100)]
fixed integrity tests of plugins using libsimaka

8 years agoChange order of ocsp uris when parsing a cert
Thomas Egerer [Fri, 4 Nov 2011 08:25:07 +0000 (09:25 +0100)]
Change order of ocsp uris when parsing a cert

8 years agoHandle certificates being on hold in a CRL
Thomas Egerer [Fri, 4 Nov 2011 08:25:05 +0000 (09:25 +0100)]
Handle certificates being on hold in a CRL

Certificates which are set on hold in a CRL might be removed from any
subsequent CRL. Hence you cannot conclude that a certificate is revoked
for good in this case, you would try to retrieve an update CRL to see if
the certificate on hold is still on it or not.

8 years agoMemwipe request after sa update, too
Thomas Egerer [Fri, 4 Nov 2011 08:25:01 +0000 (09:25 +0100)]
Memwipe request after sa update, too

8 years agoUse chunk_clear to memwipe shared secret
Thomas Egerer [Fri, 4 Nov 2011 08:24:58 +0000 (09:24 +0100)]
Use chunk_clear to memwipe shared secret

8 years agoChange order of destroy/get_ref function calls
Thomas Egerer [Fri, 4 Nov 2011 08:24:51 +0000 (09:24 +0100)]
Change order of destroy/get_ref function calls

Since DESTROY_IF might destroy the peer_cfg, a get_ref on a freed object
is subject to fail.

8 years agoFix resource leak in x509_ocsp_response
Thomas Egerer [Fri, 4 Nov 2011 08:24:47 +0000 (09:24 +0100)]
Fix resource leak in x509_ocsp_response

8 years agoExtend xfrm_attr_type_names by newly added enum values
Thomas Egerer [Fri, 4 Nov 2011 08:24:38 +0000 (09:24 +0100)]
Extend xfrm_attr_type_names by newly added enum values

8 years agoSilently install route again, even if it did not change.
Tobias Brunner [Fri, 4 Nov 2011 09:03:48 +0000 (10:03 +0100)]
Silently install route again, even if it did not change.

Address/interface changes can cause the route to disappear. Afterwards
the route might look the same but that does not mean it is still installed.

8 years agoCompile warning fixed in kernel interfaces.
Tobias Brunner [Fri, 4 Nov 2011 08:58:58 +0000 (09:58 +0100)]
Compile warning fixed in kernel interfaces.

8 years agoCommon spelling errors fixed.
Tobias Brunner [Thu, 3 Nov 2011 18:30:17 +0000 (19:30 +0100)]
Common spelling errors fixed.

8 years agoNEWS about pkcs11 plugin added.
Tobias Brunner [Thu, 3 Nov 2011 17:39:42 +0000 (18:39 +0100)]
NEWS about pkcs11 plugin added.

8 years agopkcs11: Documented use_pubkey option in strongswan.conf(5).
Tobias Brunner [Thu, 3 Nov 2011 17:36:34 +0000 (18:36 +0100)]
pkcs11: Documented use_pubkey option in strongswan.conf(5).

8 years agopkcs11: Make public key operations on tokens optional.
Tobias Brunner [Thu, 3 Nov 2011 16:56:40 +0000 (17:56 +0100)]
pkcs11: Make public key operations on tokens optional.

8 years agopkcs11: Make sure a key can be used for a given signature scheme.
Tobias Brunner [Wed, 2 Nov 2011 19:25:39 +0000 (20:25 +0100)]
pkcs11: Make sure a key can be used for a given signature scheme.

8 years agopkcs11: Register ECDSA feature.
Tobias Brunner [Wed, 2 Nov 2011 18:24:57 +0000 (19:24 +0100)]
pkcs11: Register ECDSA feature.

8 years agopkcs11: We have to create our own hashes for some signature schemes.
Tobias Brunner [Wed, 2 Nov 2011 18:23:05 +0000 (19:23 +0100)]
pkcs11: We have to create our own hashes for some signature schemes.

8 years agopkcs11: Lookup the public key of a private key by CKA_ID.
Tobias Brunner [Wed, 2 Nov 2011 18:11:46 +0000 (19:11 +0100)]
pkcs11: Lookup the public key of a private key by CKA_ID.

Currently this only works if a public key object with the same ID is
available, if there isn't one we could search for a certificate with the
same ID and extract the key from there.

8 years agopkcs11: Search for private keys in a more generic way.
Tobias Brunner [Wed, 2 Nov 2011 18:07:23 +0000 (19:07 +0100)]
pkcs11: Search for private keys in a more generic way.

Also, don't extract the public key directly from the private key. Some
tokens actually do not return the public exponent (it's not required).
We have to find a different way to get the public key.

8 years agopkcs11: Added support to encode ECDSA public keys.
Tobias Brunner [Wed, 2 Nov 2011 18:04:43 +0000 (19:04 +0100)]
pkcs11: Added support to encode ECDSA public keys.

8 years agopkcs11: Parse ECDSA public keys and find/create them on tokens.
Tobias Brunner [Wed, 2 Nov 2011 17:59:48 +0000 (18:59 +0100)]
pkcs11: Parse ECDSA public keys and find/create them on tokens.

8 years agopkcs11: Added generic functions to find/create public keys on tokens.
Tobias Brunner [Wed, 2 Nov 2011 17:57:57 +0000 (18:57 +0100)]
pkcs11: Added generic functions to find/create public keys on tokens.

8 years agopkcs11: Store public key length in bits.
Tobias Brunner [Wed, 2 Nov 2011 17:48:51 +0000 (18:48 +0100)]
pkcs11: Store public key length in bits.

8 years agopkcs11: Fix encoding of RSA public keys.
Tobias Brunner [Wed, 2 Nov 2011 17:43:27 +0000 (18:43 +0100)]
pkcs11: Fix encoding of RSA public keys.

8 years agopkcs11: Use create_object_attr_enumerator to encode RSA public key.
Tobias Brunner [Wed, 2 Nov 2011 17:38:52 +0000 (18:38 +0100)]
pkcs11: Use create_object_attr_enumerator to encode RSA public key.

8 years agopkcs11: Instead of a mutex use a new session to do multipart operations.
Tobias Brunner [Wed, 2 Nov 2011 16:24:37 +0000 (17:24 +0100)]
pkcs11: Instead of a mutex use a new session to do multipart operations.

8 years agopkcs11: Function added to retrieve multiple attributes from a single object.
Tobias Brunner [Wed, 2 Nov 2011 16:09:43 +0000 (17:09 +0100)]
pkcs11: Function added to retrieve multiple attributes from a single object.

8 years agopkcs11: Memory leak fixed in DH/ECDH implementation.
Tobias Brunner [Wed, 2 Nov 2011 16:00:58 +0000 (17:00 +0100)]
pkcs11: Memory leak fixed in DH/ECDH implementation.

8 years agopkcs11: Invalid free fixed in DH/ECDH implementation.
Tobias Brunner [Wed, 2 Nov 2011 16:00:27 +0000 (17:00 +0100)]
pkcs11: Invalid free fixed in DH/ECDH implementation.

8 years agopkcs11: Changed how pkcs11-manager is initialized.
Tobias Brunner [Wed, 2 Nov 2011 10:24:25 +0000 (11:24 +0100)]
pkcs11: Changed how pkcs11-manager is initialized.

The manager is now created directly, but events and certificate loading
is deferred.

8 years agopkcs11: Add attributes to specify what we use the DH/ECDH keys for.
Tobias Brunner [Tue, 1 Nov 2011 10:05:49 +0000 (11:05 +0100)]
pkcs11: Add attributes to specify what we use the DH/ECDH keys for.

8 years agoversion bump to 4.6.0
Andreas Steffen [Wed, 2 Nov 2011 08:30:45 +0000 (09:30 +0100)]
version bump to 4.6.0

8 years agoenable integrity test in tnc/tnccs-dynamic scenario
Andreas Steffen [Wed, 2 Nov 2011 08:30:18 +0000 (09:30 +0100)]
enable integrity test in tnc/tnccs-dynamic scenario

8 years agocharon must load libtls if available
Andreas Steffen [Wed, 2 Nov 2011 08:28:09 +0000 (09:28 +0100)]
charon must load libtls if available

8 years agofixed integrity tests of plugins using libtls or libtnccs
Andreas Steffen [Wed, 2 Nov 2011 05:41:48 +0000 (06:41 +0100)]
fixed integrity tests of plugins using libtls or libtnccs

8 years agoremoved xcbc plugin from sql scenarios
Andreas Steffen [Mon, 31 Oct 2011 23:16:35 +0000 (00:16 +0100)]
removed xcbc plugin from sql scenarios

8 years agotnc-tnccs plugin is now included in integrity tests
Andreas Steffen [Mon, 31 Oct 2011 22:29:49 +0000 (23:29 +0100)]
tnc-tnccs plugin is now included in integrity tests

8 years agopkcs11: Allow to build pkcs11 plugin on Android.
Tobias Brunner [Mon, 31 Oct 2011 17:55:27 +0000 (18:55 +0100)]
pkcs11: Allow to build pkcs11 plugin on Android.

8 years agopkcs11: Documented new options in strongswan.conf(5).
Tobias Brunner [Mon, 31 Oct 2011 17:50:10 +0000 (18:50 +0100)]
pkcs11: Documented new options in strongswan.conf(5).

8 years agopkcs11: Register the pkcs11 plugin before any other crypto plugins.
Tobias Brunner [Mon, 31 Oct 2011 16:33:26 +0000 (17:33 +0100)]
pkcs11: Register the pkcs11 plugin before any other crypto plugins.

This is what most users probably expect when they enable the pkcs11
plugin.  All advanced features (like DH/RNG) are disabled by default.

8 years agopkcs11: Use callback registration for pkcs11-manager.
Tobias Brunner [Mon, 31 Oct 2011 16:31:25 +0000 (17:31 +0100)]
pkcs11: Use callback registration for pkcs11-manager.

Otherwise a plugin providing X509 decoding capabilities might be unloaded
before the manager which will result in a segmentation fault when
certificates in the manager's credential sets are to be destroyed.

8 years agopkcs11: Merged the ECDH into the DH implementation.
Tobias Brunner [Fri, 28 Oct 2011 18:59:03 +0000 (20:59 +0200)]
pkcs11: Merged the ECDH into the DH implementation.

8 years agopkcs11: Use get_ck_attribute for ECDH.
Tobias Brunner [Fri, 28 Oct 2011 16:50:22 +0000 (18:50 +0200)]
pkcs11: Use get_ck_attribute for ECDH.

8 years agopkcs11: Use get_ck_attribute for DH.
Tobias Brunner [Fri, 28 Oct 2011 16:49:31 +0000 (18:49 +0200)]
pkcs11: Use get_ck_attribute for DH.

8 years agopkcs11: Method added to library to extract a single attribute from an object.
Tobias Brunner [Fri, 28 Oct 2011 16:36:44 +0000 (18:36 +0200)]
pkcs11: Method added to library to extract a single attribute from an object.

8 years agopkcs11: Added names for CKA_* constants.
Tobias Brunner [Fri, 28 Oct 2011 16:07:02 +0000 (18:07 +0200)]
pkcs11: Added names for CKA_* constants.

8 years agopkcs11: Added support for ECDH.
Tobias Brunner [Wed, 26 Oct 2011 14:11:24 +0000 (16:11 +0200)]
pkcs11: Added support for ECDH.

8 years agopkcs11: Added definitions needed for ECDH to pkcs11.h.
Tobias Brunner [Wed, 26 Oct 2011 14:07:25 +0000 (16:07 +0200)]
pkcs11: Added definitions needed for ECDH to pkcs11.h.

8 years agopkcs11: Specify object class and key type when deriving DH secrets.
Tobias Brunner [Tue, 25 Oct 2011 16:23:59 +0000 (18:23 +0200)]
pkcs11: Specify object class and key type when deriving DH secrets.

pkcs11_softtoken on OpenSolaris requires this (probably others too).

8 years agopkcs11: Add features support.
Tobias Brunner [Tue, 25 Oct 2011 13:51:41 +0000 (15:51 +0200)]
pkcs11: Add features support.

8 years agopkcs11: Added support for DH.
Tobias Brunner [Tue, 25 Oct 2011 08:29:07 +0000 (10:29 +0200)]
pkcs11: Added support for DH.

8 years agopkcs11: Error message fixed.
Tobias Brunner [Tue, 25 Oct 2011 07:54:17 +0000 (09:54 +0200)]
pkcs11: Error message fixed.

8 years agopkcs11: Added support to generate random numbers on a token.
Tobias Brunner [Mon, 24 Oct 2011 14:39:59 +0000 (16:39 +0200)]
pkcs11: Added support to generate random numbers on a token.

8 years agopkcs11: Properly destroy mutex in pkcs11_hasher if no token found.
Tobias Brunner [Mon, 24 Oct 2011 14:36:55 +0000 (16:36 +0200)]
pkcs11: Properly destroy mutex in pkcs11_hasher if no token found.

8 years agoAdded features support to agent plugin
Andreas Steffen [Sun, 30 Oct 2011 16:59:23 +0000 (17:59 +0100)]
Added features support to agent plugin

8 years agoAdded features support to dnskey plugin
Andreas Steffen [Sun, 30 Oct 2011 16:57:16 +0000 (17:57 +0100)]
Added features support to dnskey plugin

8 years agoAdded features support to pgp plugin
Andreas Steffen [Sun, 30 Oct 2011 16:52:13 +0000 (17:52 +0100)]
Added features support to pgp plugin

8 years agoAdded features support to pkcs1 plugin
Andreas Steffen [Sun, 30 Oct 2011 16:44:35 +0000 (17:44 +0100)]
Added features support to pkcs1 plugin

8 years agoadded newline
Andreas Steffen [Sun, 30 Oct 2011 16:43:55 +0000 (17:43 +0100)]
added newline

8 years agoremove pem_encoder_encode
Andreas Steffen [Sun, 30 Oct 2011 16:21:57 +0000 (17:21 +0100)]
remove pem_encoder_encode

8 years agoAdd features support to pem plugin
Andreas Steffen [Sun, 30 Oct 2011 16:15:53 +0000 (17:15 +0100)]
Add features support to pem plugin

8 years agoSome Doxygen fixes.
Tobias Brunner [Fri, 28 Oct 2011 19:24:52 +0000 (21:24 +0200)]
Some Doxygen fixes.

8 years agoCopyright fixed.
Tobias Brunner [Fri, 28 Oct 2011 19:07:35 +0000 (21:07 +0200)]
Copyright fixed.

8 years agopluto: Compile warning fixed.
Tobias Brunner [Thu, 27 Oct 2011 13:42:44 +0000 (15:42 +0200)]
pluto: Compile warning fixed.

8 years agopluto: plugin_list.* added to Android.mk.
Tobias Brunner [Thu, 27 Oct 2011 13:42:10 +0000 (15:42 +0200)]
pluto: plugin_list.* added to Android.mk.

8 years agoAdded missing backslash.
Tobias Brunner [Thu, 27 Oct 2011 13:41:30 +0000 (15:41 +0200)]
Added missing backslash.

8 years agoForgot to add Android.mk in ba5b559b41fa70261c4f181f516acee272379a71.
Tobias Brunner [Wed, 26 Oct 2011 16:31:34 +0000 (18:31 +0200)]
Forgot to add Android.mk in ba5b559b41fa70261c4f181f516acee272379a71.

8 years agoDestroy objects hashtable after plugin_manager.
Tobias Brunner [Wed, 26 Oct 2011 15:35:18 +0000 (17:35 +0200)]
Destroy objects hashtable after plugin_manager.

If plugins are not explicitly unloaded before library_deinit is called
there could have been a segfault because some plugins might unregister
objects during unloading/destruction.

8 years agoAdd features support to pubkey plugin
Andreas Steffen [Wed, 26 Oct 2011 10:16:54 +0000 (12:16 +0200)]
Add features support to pubkey plugin

8 years agoAdd features support to x509 plugin
Andreas Steffen [Wed, 26 Oct 2011 10:09:03 +0000 (12:09 +0200)]
Add features support to x509 plugin

8 years agoCosmetics
Andreas Steffen [Wed, 26 Oct 2011 08:32:54 +0000 (10:32 +0200)]
Cosmetics

8 years agoadded listplugins support to pluto and whack
Andreas Steffen [Wed, 26 Oct 2011 08:31:48 +0000 (10:31 +0200)]
added listplugins support to pluto and whack

8 years agoadd listplugins to ipsec shell command
Andreas Steffen [Wed, 26 Oct 2011 07:30:58 +0000 (09:30 +0200)]
add listplugins to ipsec shell command

8 years agoversion bump to 4.6.0rc3
Andreas Steffen [Wed, 26 Oct 2011 07:17:57 +0000 (09:17 +0200)]
version bump to 4.6.0rc3

8 years agoadded tnc-tnccs plugin and removed xcbc plugin
Andreas Steffen [Tue, 25 Oct 2011 13:20:03 +0000 (15:20 +0200)]
added tnc-tnccs plugin and removed xcbc plugin

8 years agoDon't link to tnc libraries on Android as no tnc plugins are currently enabled.
Tobias Brunner [Tue, 25 Oct 2011 09:56:35 +0000 (11:56 +0200)]
Don't link to tnc libraries on Android as no tnc plugins are currently enabled.

8 years agoBuild libtnccs on Android.
Tobias Brunner [Tue, 25 Oct 2011 09:56:26 +0000 (11:56 +0200)]
Build libtnccs on Android.

8 years agoshare some code between IMC and IMV managers
Andreas Steffen [Tue, 25 Oct 2011 07:45:21 +0000 (09:45 +0200)]
share some code between IMC and IMV managers

8 years agoremoved unneeded includes
Andreas Steffen [Tue, 25 Oct 2011 05:36:24 +0000 (07:36 +0200)]
removed unneeded includes

8 years agoFix DNS error handling for keyexchange=ike.
Mirko Parthey [Mon, 24 Oct 2011 23:25:15 +0000 (01:25 +0200)]
Fix DNS error handling for keyexchange=ike.

starter fails to load a connection when a peer's DNS name is temporarily
unresolvable and keyexchange=ike was specified, which defaults to IKEv2.
The connection loads just fine in case of keyexchange=ikev2.

8 years agorefactored TNC framework
Andreas Steffen [Mon, 24 Oct 2011 23:10:02 +0000 (01:10 +0200)]
refactored TNC framework

8 years agomoved imv_manager to libtnccs
Andreas Steffen [Thu, 20 Oct 2011 20:06:10 +0000 (22:06 +0200)]
moved imv_manager to libtnccs

8 years agomoved imc_manager to libtnccs
Andreas Steffen [Thu, 20 Oct 2011 19:12:29 +0000 (21:12 +0200)]
moved imc_manager to libtnccs

8 years agofixed type
Andreas Steffen [Sat, 22 Oct 2011 10:31:09 +0000 (12:31 +0200)]
fixed type

8 years agoversion bump to 4.6.0rc2
Andreas Steffen [Sat, 22 Oct 2011 10:29:37 +0000 (12:29 +0200)]
version bump to 4.6.0rc2

8 years agoLog if charon failed to establish a CHILD_SA but keeps the IKE_SA up.
Tobias Brunner [Fri, 21 Oct 2011 16:09:02 +0000 (18:09 +0200)]
Log if charon failed to establish a CHILD_SA but keeps the IKE_SA up.

8 years agostarter.load documented in strongswan.conf(5) man page.
Tobias Brunner [Fri, 21 Oct 2011 15:30:39 +0000 (17:30 +0200)]
starter.load documented in strongswan.conf(5) man page.

8 years agostarter: Android.mk updated to use kernel-netlink via libhydra.
Tobias Brunner [Fri, 21 Oct 2011 12:16:42 +0000 (14:16 +0200)]
starter: Android.mk updated to use kernel-netlink via libhydra.

8 years agostarter: Use kernel interfaces to flush SAD and SPD.
Tobias Brunner [Fri, 21 Oct 2011 12:14:36 +0000 (14:14 +0200)]
starter: Use kernel interfaces to flush SAD and SPD.

This now supports platforms where neither 'ip xfrm' nor 'setkey' are
available (like Android).

8 years agostarter: Load plugins specific to starter.
Tobias Brunner [Fri, 21 Oct 2011 12:07:42 +0000 (14:07 +0200)]
starter: Load plugins specific to starter.

8 years agostarter: INFO_FILE is not used anymore.
Tobias Brunner [Fri, 21 Oct 2011 12:05:18 +0000 (14:05 +0200)]
starter: INFO_FILE is not used anymore.

8 years agoThe load-tester plugin does not support SAD/SPD flushing.
Tobias Brunner [Fri, 21 Oct 2011 12:23:31 +0000 (14:23 +0200)]
The load-tester plugin does not support SAD/SPD flushing.

8 years agoThe kernel-klips plugin does currently not support SAD/SPD flushing.
Tobias Brunner [Fri, 21 Oct 2011 11:44:17 +0000 (13:44 +0200)]
The kernel-klips plugin does currently not support SAD/SPD flushing.

8 years agoImplemented flushing of SAD and SPD entries via PF_KEY.
Tobias Brunner [Fri, 21 Oct 2011 12:03:39 +0000 (14:03 +0200)]
Implemented flushing of SAD and SPD entries via PF_KEY.