strongswan.git
12 years agoAdded a stub for the EAP-AKA backend implementing the 3GPP2 functions in software
Martin Willi [Thu, 8 Oct 2009 08:29:43 +0000 (10:29 +0200)]
Added a stub for the EAP-AKA backend implementing the 3GPP2 functions in software

12 years agoImplemented a manager for USIM cards/providers very similar to the SIM manager
Martin Willi [Thu, 8 Oct 2009 07:08:46 +0000 (09:08 +0200)]
Implemented a manager for USIM cards/providers very similar to the SIM manager

12 years agocorrected caption
Andreas Steffen [Thu, 8 Oct 2009 22:16:33 +0000 (00:16 +0200)]
corrected caption

12 years agocreated identification_create_from_sockaddr() function
Andreas Steffen [Thu, 8 Oct 2009 22:13:02 +0000 (00:13 +0200)]
created identification_create_from_sockaddr() function

12 years agoAdded medsrv.fcgi to gitignore
Martin Willi [Thu, 8 Oct 2009 11:10:02 +0000 (13:10 +0200)]
Added medsrv.fcgi to gitignore

12 years agomedsrv.fcgi is not part of the git tree
Andreas Steffen [Thu, 8 Oct 2009 11:05:27 +0000 (13:05 +0200)]
medsrv.fcgi is not part of the git tree

12 years agohex_str() isn't used externally any more
Andreas Steffen [Thu, 8 Oct 2009 11:04:07 +0000 (13:04 +0200)]
hex_str() isn't used externally any more

12 years agoparsing of generalNames is not needed any more
Andreas Steffen [Thu, 8 Oct 2009 10:42:29 +0000 (12:42 +0200)]
parsing of generalNames is not needed any more

12 years agouse of asn1_build_known_oid()
Andreas Steffen [Thu, 8 Oct 2009 10:35:36 +0000 (12:35 +0200)]
use of asn1_build_known_oid()

12 years agomigrated public key IDs to identification_t
Andreas Steffen [Thu, 8 Oct 2009 09:25:33 +0000 (11:25 +0200)]
migrated public key IDs to identification_t

12 years agoReenabled acq_expires SA timer using rekey timeout
Martin Willi [Wed, 7 Oct 2009 09:40:36 +0000 (11:40 +0200)]
Reenabled acq_expires SA timer using rekey timeout

While not using a SA expiration for allocating SPIs works fine,
the situation is much more problematic for kernel-created temporary
SAs from acquires. If the negotiation of such a CHILD_SA fails,
the created temporary SA can not be deleted.

12 years agoCatch CHILD_SA state changes during acquire
Martin Willi [Wed, 7 Oct 2009 08:14:18 +0000 (10:14 +0200)]
Catch CHILD_SA state changes during acquire

If an acquire fails due to a TS_UNACCEPTABLE or other CHILD_SA only errors,
we have to reset the pending state in the trap manager.

12 years agolist subjectAltNames
Andreas Steffen [Tue, 6 Oct 2009 21:50:26 +0000 (23:50 +0200)]
list subjectAltNames

12 years agosome ipsec listall finetuning
Andreas Steffen [Tue, 6 Oct 2009 21:19:46 +0000 (23:19 +0200)]
some ipsec listall finetuning

12 years agopluto and charon now have the same ipsec listall output format
Andreas Steffen [Tue, 6 Oct 2009 14:49:46 +0000 (16:49 +0200)]
pluto and charon now have the same ipsec listall output format

12 years agothe ikev1 scenarios need the x509 plugin
Andreas Steffen [Tue, 6 Oct 2009 12:38:34 +0000 (14:38 +0200)]
the ikev1 scenarios need the x509 plugin

12 years agostreamlined output from get_validity()
Andreas Steffen [Tue, 6 Oct 2009 12:22:27 +0000 (14:22 +0200)]
streamlined output from get_validity()

12 years agofixed serial number conversion from hex
Andreas Steffen [Mon, 5 Oct 2009 21:52:35 +0000 (23:52 +0200)]
fixed serial number conversion from hex

12 years agodelete group attributes after use
Andreas Steffen [Mon, 5 Oct 2009 21:17:36 +0000 (23:17 +0200)]
delete group attributes after use

12 years agostroke_list outputs group attributes
Andreas Steffen [Mon, 5 Oct 2009 21:13:51 +0000 (23:13 +0200)]
stroke_list outputs group attributes

12 years agoipsec pki --issue suports --flag authServer option
Andreas Steffen [Mon, 5 Oct 2009 20:44:01 +0000 (22:44 +0200)]
ipsec pki --issue suports --flag authServer option

12 years agoipsec pki --issue supports --flag ocspSigning option
Andreas Steffen [Mon, 5 Oct 2009 19:20:42 +0000 (21:20 +0200)]
ipsec pki --issue supports --flag ocspSigning option

12 years agoCleaned up EAP-AKA en/decoding, eliminated unaligned half-word reads
Martin Willi [Mon, 5 Oct 2009 12:06:32 +0000 (14:06 +0200)]
Cleaned up EAP-AKA en/decoding, eliminated unaligned half-word reads

12 years agoCleaned up EAP-SIM en/decoding, eliminated unaligned half-word reads
Martin Willi [Mon, 5 Oct 2009 11:32:41 +0000 (13:32 +0200)]
Cleaned up EAP-SIM en/decoding, eliminated unaligned half-word reads

12 years agoDistinguish invalid free()s between corrupted magic and invalid pointer
Martin Willi [Mon, 5 Oct 2009 08:49:10 +0000 (10:49 +0200)]
Distinguish invalid free()s between corrupted magic and invalid pointer

12 years agopluto now uses x509 plugin for attribute certificate handling
Andreas Steffen [Mon, 5 Oct 2009 05:24:28 +0000 (07:24 +0200)]
pluto now uses x509 plugin for attribute certificate handling

12 years agofixed output of authKeyID
Andreas Steffen [Fri, 2 Oct 2009 19:20:45 +0000 (21:20 +0200)]
fixed output of authKeyID

12 years agomark embedded parsing in debug mode
Andreas Steffen [Fri, 2 Oct 2009 18:54:15 +0000 (20:54 +0200)]
mark embedded parsing in debug mode

12 years agoadded some notBefore/notAfter debugging info
Andreas Steffen [Fri, 2 Oct 2009 18:14:09 +0000 (20:14 +0200)]
added some notBefore/notAfter debugging info

12 years agoverify correctness of X.509 versions
Andreas Steffen [Fri, 2 Oct 2009 15:49:51 +0000 (17:49 +0200)]
verify correctness of X.509 versions

12 years agoadded all missing RFC 5280 OIDs
Andreas Steffen [Fri, 2 Oct 2009 12:10:27 +0000 (14:10 +0200)]
added all missing RFC 5280 OIDs

13 years agocreated ikev1/mode-config-multiple scenario
Andreas Steffen [Thu, 1 Oct 2009 07:42:35 +0000 (09:42 +0200)]
created ikev1/mode-config-multiple scenario

13 years agofixes multiple IPsec SAs with IKEv1 Mode Config
Andreas Steffen [Thu, 1 Oct 2009 07:41:35 +0000 (09:41 +0200)]
fixes multiple IPsec SAs with IKEv1 Mode Config

13 years agogenerate known OIDs dynamically
Andreas Steffen [Wed, 30 Sep 2009 09:49:32 +0000 (11:49 +0200)]
generate known OIDs dynamically

13 years agopluto's crl handling now uses the x509 plugin
Andreas Steffen [Wed, 30 Sep 2009 07:29:15 +0000 (09:29 +0200)]
pluto's crl handling now uses the x509 plugin

13 years agoscepclient uses pkcs10 from libstrongswan
Andreas Steffen [Mon, 28 Sep 2009 03:52:20 +0000 (05:52 +0200)]
scepclient uses pkcs10 from libstrongswan

13 years agoabbreviated struct connection by connection_t
Andreas Steffen [Sun, 27 Sep 2009 21:49:37 +0000 (23:49 +0200)]
abbreviated struct connection by connection_t

13 years agopluto and scepclient now use the x509 plugin for certificates
Andreas Steffen [Sun, 27 Sep 2009 21:09:30 +0000 (23:09 +0200)]
pluto and scepclient now use the x509 plugin for certificates

13 years agowhitelist Curl_client_write
Andreas Steffen [Sun, 27 Sep 2009 21:07:21 +0000 (23:07 +0200)]
whitelist Curl_client_write

13 years agoadded get_subjectKeyIdentifier() to x509_t
Andreas Steffen [Sat, 26 Sep 2009 20:10:36 +0000 (22:10 +0200)]
added get_subjectKeyIdentifier() to x509_t

13 years agoDo not increase the invalid-KE/Cookie retry counter for additional keyingtry attempts
Martin Willi [Thu, 24 Sep 2009 12:15:20 +0000 (14:15 +0200)]
Do not increase the invalid-KE/Cookie retry counter for additional keyingtry attempts

13 years agoDo not create a replacement IKE_SA if we have CHILD_SAs to route only
Martin Willi [Thu, 24 Sep 2009 12:14:30 +0000 (14:14 +0200)]
Do not create a replacement IKE_SA if we have CHILD_SAs to route only

13 years agoUsing the correct type for ME_ENDPOINT payloads in connectivity checks.
Tobias Brunner [Thu, 24 Sep 2009 09:28:43 +0000 (11:28 +0200)]
Using the correct type for ME_ENDPOINT payloads in connectivity checks.

13 years agoRight-align short options in pki usage
Martin Willi [Thu, 24 Sep 2009 09:28:31 +0000 (11:28 +0200)]
Right-align short options in pki usage

13 years agocertificate subject DNs are in double quotes
Andreas Steffen [Wed, 23 Sep 2009 20:03:52 +0000 (22:03 +0200)]
certificate subject DNs are in double quotes

13 years agostreamlining of credential loading debug output
Andreas Steffen [Wed, 23 Sep 2009 19:55:48 +0000 (21:55 +0200)]
streamlining of credential loading debug output

13 years agoadded fix of PKCS#7 wrapped certificates to NEWS
Andreas Steffen [Wed, 23 Sep 2009 19:50:56 +0000 (21:50 +0200)]
added fix of PKCS#7 wrapped certificates to NEWS

13 years agoadded and fixed debug output of version information
Andreas Steffen [Wed, 23 Sep 2009 14:21:18 +0000 (16:21 +0200)]
added and fixed debug output of version information

13 years agofixed PKCS#7 wrapped certificate parsing
Andreas Steffen [Wed, 23 Sep 2009 13:51:40 +0000 (15:51 +0200)]
fixed PKCS#7 wrapped certificate parsing

13 years agoUse mysql_config to query MySQL LIBS and CFLAGS
Martin Willi [Wed, 23 Sep 2009 10:45:03 +0000 (12:45 +0200)]
Use mysql_config to query MySQL LIBS and CFLAGS

13 years agoFixed a crash in source address lookup
Martin Willi [Wed, 23 Sep 2009 09:18:30 +0000 (11:18 +0200)]
Fixed a crash in source address lookup

13 years agoDefine ME for all charon plugins
Martin Willi [Wed, 23 Sep 2009 09:13:27 +0000 (11:13 +0200)]
Define ME for all charon plugins

13 years agoCorrectly handle --enable-mediation option
Martin Willi [Wed, 23 Sep 2009 08:49:38 +0000 (10:49 +0200)]
Correctly handle --enable-mediation option

13 years agoenforce coding rules
Andreas Steffen [Tue, 22 Sep 2009 19:50:28 +0000 (21:50 +0200)]
enforce coding rules

13 years agoenforce coding rules
Andreas Steffen [Tue, 22 Sep 2009 18:54:10 +0000 (20:54 +0200)]
enforce coding rules

13 years agoset XFRM_STATE_AF_UNSPEC flag
Andreas Steffen [Tue, 22 Sep 2009 18:00:49 +0000 (20:00 +0200)]
set XFRM_STATE_AF_UNSPEC flag

13 years agoEmit a ALERT_SHUTDOWN_SIGNAL before shutting down the daemon
Martin Willi [Tue, 22 Sep 2009 14:59:25 +0000 (16:59 +0200)]
Emit a ALERT_SHUTDOWN_SIGNAL before shutting down the daemon

13 years agoadding additional flags to loaded X.509 certificates
Andreas Steffen [Tue, 22 Sep 2009 10:55:25 +0000 (12:55 +0200)]
adding additional flags to loaded X.509 certificates

13 years agoreadying NEWS for the strongswan-4.3.5dr2 release
Andreas Steffen [Tue, 22 Sep 2009 10:44:58 +0000 (12:44 +0200)]
readying NEWS for the strongswan-4.3.5dr2 release

13 years agoshortened file loading debug output
Andreas Steffen [Tue, 22 Sep 2009 10:33:13 +0000 (12:33 +0200)]
shortened file loading debug output

13 years agocomputed hash-and-url for new certificates
Andreas Steffen [Tue, 22 Sep 2009 10:05:37 +0000 (12:05 +0200)]
computed hash-and-url for new certificates

13 years agoFixed encoding of hash-and-url cert payload
Martin Willi [Tue, 22 Sep 2009 08:07:04 +0000 (10:07 +0200)]
Fixed encoding of hash-and-url cert payload

13 years agoDo not assign SIM version to a volatile buffer on stack
Martin Willi [Tue, 22 Sep 2009 07:11:35 +0000 (09:11 +0200)]
Do not assign SIM version to a volatile buffer on stack

13 years agoCA certificates are looked up using the subjectPublicKeyInfo keyid
Martin Willi [Mon, 21 Sep 2009 16:13:25 +0000 (18:13 +0200)]
CA certificates are looked up using the subjectPublicKeyInfo keyid

13 years agoCredential backends use has_fingerprint() methods to select keys/certificates
Martin Willi [Mon, 21 Sep 2009 15:03:00 +0000 (17:03 +0200)]
Credential backends use has_fingerprint() methods to select keys/certificates

13 years agoPublic/Private keys implement a has_fingerprint() method
Martin Willi [Mon, 21 Sep 2009 14:47:25 +0000 (16:47 +0200)]
Public/Private keys implement a has_fingerprint() method

13 years agoCorrectly serve certificates if CERT_ANY requested
Martin Willi [Mon, 21 Sep 2009 13:34:29 +0000 (15:34 +0200)]
Correctly serve certificates if CERT_ANY requested

13 years agoEnforce a local address of the same family as remote address
Martin Willi [Mon, 21 Sep 2009 13:19:39 +0000 (15:19 +0200)]
Enforce a local address of the same family as remote address

13 years agoReturn certificates of requested kind only
Martin Willi [Mon, 21 Sep 2009 12:43:57 +0000 (14:43 +0200)]
Return certificates of requested kind only

13 years agoplugin has been renamed to resolve
Andreas Steffen [Sun, 20 Sep 2009 20:03:23 +0000 (22:03 +0200)]
plugin has been renamed to resolve

13 years agodelete resolv_conf_* files
Andreas Steffen [Sun, 20 Sep 2009 19:59:36 +0000 (21:59 +0200)]
delete resolv_conf_* files

13 years agoall arguments must be read
Andreas Steffen [Sun, 20 Sep 2009 19:56:22 +0000 (21:56 +0200)]
all arguments must be read

13 years agoresolv_conf plugin renamed to resolve
Andreas Steffen [Sun, 20 Sep 2009 17:06:58 +0000 (19:06 +0200)]
resolv_conf plugin renamed to resolve

13 years agoadapt evaltest.dat to changed debug output
Andreas Steffen [Sun, 20 Sep 2009 15:23:24 +0000 (17:23 +0200)]
adapt evaltest.dat to changed debug output

13 years agorenewed certs in dynamic-initiator/dynamic-responder scenarios
Andreas Steffen [Sat, 19 Sep 2009 06:18:42 +0000 (08:18 +0200)]
renewed certs in dynamic-initiator/dynamic-responder scenarios

13 years agouse new certificates
Andreas Steffen [Fri, 18 Sep 2009 22:26:55 +0000 (00:26 +0200)]
use new certificates

13 years agoeliminated double library_deinit()
Andreas Steffen [Fri, 18 Sep 2009 22:00:56 +0000 (00:00 +0200)]
eliminated double library_deinit()

13 years agokeyids of renewed keys
Andreas Steffen [Fri, 18 Sep 2009 19:44:57 +0000 (21:44 +0200)]
keyids of renewed keys

13 years agoupdated to renewed certs in SQL database
Andreas Steffen [Fri, 18 Sep 2009 19:22:37 +0000 (21:22 +0200)]
updated to renewed certs in SQL database

13 years agorenewal of end entity certificates
Andreas Steffen [Fri, 18 Sep 2009 19:17:03 +0000 (21:17 +0200)]
renewal of end entity certificates

13 years agofixed --enable-eap-md5 and --enable-eap-gtc options
Andreas Steffen [Fri, 18 Sep 2009 16:23:26 +0000 (18:23 +0200)]
fixed --enable-eap-md5 and --enable-eap-gtc options

13 years agobackwards compatibility with SQL format
Andreas Steffen [Fri, 18 Sep 2009 05:22:07 +0000 (07:22 +0200)]
backwards compatibility with SQL format

13 years agoUse helper functions to handle (non-)skippable attributes
Martin Willi [Fri, 18 Sep 2009 13:08:43 +0000 (15:08 +0200)]
Use helper functions to handle (non-)skippable attributes

13 years agoClients can handle AKA-Identity requests by sending the full identity
Martin Willi [Fri, 18 Sep 2009 12:51:35 +0000 (14:51 +0200)]
Clients can handle AKA-Identity requests by sending the full identity

13 years agonm uses the distributions trusted root CAs if none is explicitly specified
Martin Willi [Fri, 18 Sep 2009 12:29:50 +0000 (14:29 +0200)]
nm uses the distributions trusted root CAs if none is explicitly specified

13 years agosome reformulations
Andreas Steffen [Thu, 17 Sep 2009 20:20:35 +0000 (22:20 +0200)]
some reformulations

13 years agoget_private() in listcacerts requires a valid auth cfg
Martin Willi [Thu, 17 Sep 2009 10:47:03 +0000 (12:47 +0200)]
get_private() in listcacerts requires a valid auth cfg

13 years agoFixed nexthop lookup, used by source route installation
Martin Willi [Wed, 16 Sep 2009 11:55:32 +0000 (13:55 +0200)]
Fixed nexthop lookup, used by source route installation

13 years agoUse continue to advance to next iteration
Martin Willi [Wed, 16 Sep 2009 11:32:47 +0000 (13:32 +0200)]
Use continue to advance to next iteration

13 years agoComplain about missing %defaultroute support only if one is actually used
Martin Willi [Wed, 16 Sep 2009 11:27:49 +0000 (13:27 +0200)]
Complain about missing %defaultroute support only if one is actually used

13 years agoUse the default debug hook if possible
Martin Willi [Wed, 16 Sep 2009 11:16:00 +0000 (13:16 +0200)]
Use the default debug hook if possible

13 years agoDefault logger implementation can be modified by dbg_default_set_level/stream
Martin Willi [Wed, 16 Sep 2009 11:06:16 +0000 (13:06 +0200)]
Default logger implementation can be modified by dbg_default_set_level/stream

13 years agoRemoved obsolete per-command debug level option
Martin Willi [Wed, 16 Sep 2009 10:52:56 +0000 (12:52 +0200)]
Removed obsolete per-command debug level option

13 years agoFixed loading of DER encoded certificate files
Martin Willi [Wed, 16 Sep 2009 09:24:35 +0000 (11:24 +0200)]
Fixed loading of DER encoded certificate files

13 years agocorrected usage
Andreas Steffen [Tue, 15 Sep 2009 20:43:22 +0000 (22:43 +0200)]
corrected usage

13 years agopki --req generates a PKCS#10 certificate request
Andreas Steffen [Tue, 15 Sep 2009 20:33:32 +0000 (22:33 +0200)]
pki --req generates a PKCS#10 certificate request

13 years agoimplemented ASN.1 encoding of PKCS#10 attributes
Andreas Steffen [Tue, 15 Sep 2009 19:55:44 +0000 (21:55 +0200)]
implemented ASN.1 encoding of PKCS#10 attributes

13 years agofixed typo
Andreas Steffen [Tue, 15 Sep 2009 14:48:13 +0000 (16:48 +0200)]
fixed typo

13 years agoDisable rtnetlink defaultroute lookup if pluto is disabled
Martin Willi [Tue, 15 Sep 2009 11:13:45 +0000 (13:13 +0200)]
Disable rtnetlink defaultroute lookup if pluto is disabled

As we do not support Pluto on BSD/Mac, exclude the Linux specific
rtnetlink routing lookup; Charon doesn't require it anyway.

13 years agoGet starter default route via rtnetlink
Heiko Hund [Tue, 8 Sep 2009 09:32:50 +0000 (11:32 +0200)]
Get starter default route via rtnetlink

This patch changes the way routes are fetched from the kernel by starter.

The way it's currently done (via /proc) is limited to routes in the
"main" routing table. Routes from the "default" table are never seen by
starter. Starter may miss the default route even if it's set. Thus, default
routes are now read from the "main" and the "default" table.

The way this code behaves if more than one default route is found is slightly
different to before. Instead of bailing out it just chooses the one with the best
metric. I thought this was be a reasonable change.