strongswan.git
11 years agoAdded a stub for the EAP-AKA backend implementing the 3GPP2 functions in software
Martin Willi [Thu, 8 Oct 2009 08:29:43 +0000 (10:29 +0200)]
Added a stub for the EAP-AKA backend implementing the 3GPP2 functions in software

11 years agoImplemented a manager for USIM cards/providers very similar to the SIM manager
Martin Willi [Thu, 8 Oct 2009 07:08:46 +0000 (09:08 +0200)]
Implemented a manager for USIM cards/providers very similar to the SIM manager

11 years agocorrected caption
Andreas Steffen [Thu, 8 Oct 2009 22:16:33 +0000 (00:16 +0200)]
corrected caption

11 years agocreated identification_create_from_sockaddr() function
Andreas Steffen [Thu, 8 Oct 2009 22:13:02 +0000 (00:13 +0200)]
created identification_create_from_sockaddr() function

11 years agoAdded medsrv.fcgi to gitignore
Martin Willi [Thu, 8 Oct 2009 11:10:02 +0000 (13:10 +0200)]
Added medsrv.fcgi to gitignore

11 years agomedsrv.fcgi is not part of the git tree
Andreas Steffen [Thu, 8 Oct 2009 11:05:27 +0000 (13:05 +0200)]
medsrv.fcgi is not part of the git tree

11 years agohex_str() isn't used externally any more
Andreas Steffen [Thu, 8 Oct 2009 11:04:07 +0000 (13:04 +0200)]
hex_str() isn't used externally any more

11 years agoparsing of generalNames is not needed any more
Andreas Steffen [Thu, 8 Oct 2009 10:42:29 +0000 (12:42 +0200)]
parsing of generalNames is not needed any more

11 years agouse of asn1_build_known_oid()
Andreas Steffen [Thu, 8 Oct 2009 10:35:36 +0000 (12:35 +0200)]
use of asn1_build_known_oid()

11 years agomigrated public key IDs to identification_t
Andreas Steffen [Thu, 8 Oct 2009 09:25:33 +0000 (11:25 +0200)]
migrated public key IDs to identification_t

11 years agoReenabled acq_expires SA timer using rekey timeout
Martin Willi [Wed, 7 Oct 2009 09:40:36 +0000 (11:40 +0200)]
Reenabled acq_expires SA timer using rekey timeout

While not using a SA expiration for allocating SPIs works fine,
the situation is much more problematic for kernel-created temporary
SAs from acquires. If the negotiation of such a CHILD_SA fails,
the created temporary SA can not be deleted.

11 years agoCatch CHILD_SA state changes during acquire
Martin Willi [Wed, 7 Oct 2009 08:14:18 +0000 (10:14 +0200)]
Catch CHILD_SA state changes during acquire

If an acquire fails due to a TS_UNACCEPTABLE or other CHILD_SA only errors,
we have to reset the pending state in the trap manager.

11 years agolist subjectAltNames
Andreas Steffen [Tue, 6 Oct 2009 21:50:26 +0000 (23:50 +0200)]
list subjectAltNames

11 years agosome ipsec listall finetuning
Andreas Steffen [Tue, 6 Oct 2009 21:19:46 +0000 (23:19 +0200)]
some ipsec listall finetuning

11 years agopluto and charon now have the same ipsec listall output format
Andreas Steffen [Tue, 6 Oct 2009 14:49:46 +0000 (16:49 +0200)]
pluto and charon now have the same ipsec listall output format

11 years agothe ikev1 scenarios need the x509 plugin
Andreas Steffen [Tue, 6 Oct 2009 12:38:34 +0000 (14:38 +0200)]
the ikev1 scenarios need the x509 plugin

11 years agostreamlined output from get_validity()
Andreas Steffen [Tue, 6 Oct 2009 12:22:27 +0000 (14:22 +0200)]
streamlined output from get_validity()

11 years agofixed serial number conversion from hex
Andreas Steffen [Mon, 5 Oct 2009 21:52:35 +0000 (23:52 +0200)]
fixed serial number conversion from hex

11 years agodelete group attributes after use
Andreas Steffen [Mon, 5 Oct 2009 21:17:36 +0000 (23:17 +0200)]
delete group attributes after use

11 years agostroke_list outputs group attributes
Andreas Steffen [Mon, 5 Oct 2009 21:13:51 +0000 (23:13 +0200)]
stroke_list outputs group attributes

11 years agoipsec pki --issue suports --flag authServer option
Andreas Steffen [Mon, 5 Oct 2009 20:44:01 +0000 (22:44 +0200)]
ipsec pki --issue suports --flag authServer option

11 years agoipsec pki --issue supports --flag ocspSigning option
Andreas Steffen [Mon, 5 Oct 2009 19:20:42 +0000 (21:20 +0200)]
ipsec pki --issue supports --flag ocspSigning option

11 years agoCleaned up EAP-AKA en/decoding, eliminated unaligned half-word reads
Martin Willi [Mon, 5 Oct 2009 12:06:32 +0000 (14:06 +0200)]
Cleaned up EAP-AKA en/decoding, eliminated unaligned half-word reads

11 years agoCleaned up EAP-SIM en/decoding, eliminated unaligned half-word reads
Martin Willi [Mon, 5 Oct 2009 11:32:41 +0000 (13:32 +0200)]
Cleaned up EAP-SIM en/decoding, eliminated unaligned half-word reads

11 years agoDistinguish invalid free()s between corrupted magic and invalid pointer
Martin Willi [Mon, 5 Oct 2009 08:49:10 +0000 (10:49 +0200)]
Distinguish invalid free()s between corrupted magic and invalid pointer

11 years agopluto now uses x509 plugin for attribute certificate handling
Andreas Steffen [Mon, 5 Oct 2009 05:24:28 +0000 (07:24 +0200)]
pluto now uses x509 plugin for attribute certificate handling

11 years agofixed output of authKeyID
Andreas Steffen [Fri, 2 Oct 2009 19:20:45 +0000 (21:20 +0200)]
fixed output of authKeyID

11 years agomark embedded parsing in debug mode
Andreas Steffen [Fri, 2 Oct 2009 18:54:15 +0000 (20:54 +0200)]
mark embedded parsing in debug mode

11 years agoadded some notBefore/notAfter debugging info
Andreas Steffen [Fri, 2 Oct 2009 18:14:09 +0000 (20:14 +0200)]
added some notBefore/notAfter debugging info

11 years agoverify correctness of X.509 versions
Andreas Steffen [Fri, 2 Oct 2009 15:49:51 +0000 (17:49 +0200)]
verify correctness of X.509 versions

11 years agoadded all missing RFC 5280 OIDs
Andreas Steffen [Fri, 2 Oct 2009 12:10:27 +0000 (14:10 +0200)]
added all missing RFC 5280 OIDs

11 years agocreated ikev1/mode-config-multiple scenario
Andreas Steffen [Thu, 1 Oct 2009 07:42:35 +0000 (09:42 +0200)]
created ikev1/mode-config-multiple scenario

11 years agofixes multiple IPsec SAs with IKEv1 Mode Config
Andreas Steffen [Thu, 1 Oct 2009 07:41:35 +0000 (09:41 +0200)]
fixes multiple IPsec SAs with IKEv1 Mode Config

11 years agogenerate known OIDs dynamically
Andreas Steffen [Wed, 30 Sep 2009 09:49:32 +0000 (11:49 +0200)]
generate known OIDs dynamically

11 years agopluto's crl handling now uses the x509 plugin
Andreas Steffen [Wed, 30 Sep 2009 07:29:15 +0000 (09:29 +0200)]
pluto's crl handling now uses the x509 plugin

11 years agoscepclient uses pkcs10 from libstrongswan
Andreas Steffen [Mon, 28 Sep 2009 03:52:20 +0000 (05:52 +0200)]
scepclient uses pkcs10 from libstrongswan

11 years agoabbreviated struct connection by connection_t
Andreas Steffen [Sun, 27 Sep 2009 21:49:37 +0000 (23:49 +0200)]
abbreviated struct connection by connection_t

11 years agopluto and scepclient now use the x509 plugin for certificates
Andreas Steffen [Sun, 27 Sep 2009 21:09:30 +0000 (23:09 +0200)]
pluto and scepclient now use the x509 plugin for certificates

11 years agowhitelist Curl_client_write
Andreas Steffen [Sun, 27 Sep 2009 21:07:21 +0000 (23:07 +0200)]
whitelist Curl_client_write

11 years agoadded get_subjectKeyIdentifier() to x509_t
Andreas Steffen [Sat, 26 Sep 2009 20:10:36 +0000 (22:10 +0200)]
added get_subjectKeyIdentifier() to x509_t

11 years agoDo not increase the invalid-KE/Cookie retry counter for additional keyingtry attempts
Martin Willi [Thu, 24 Sep 2009 12:15:20 +0000 (14:15 +0200)]
Do not increase the invalid-KE/Cookie retry counter for additional keyingtry attempts

11 years agoDo not create a replacement IKE_SA if we have CHILD_SAs to route only
Martin Willi [Thu, 24 Sep 2009 12:14:30 +0000 (14:14 +0200)]
Do not create a replacement IKE_SA if we have CHILD_SAs to route only

11 years agoUsing the correct type for ME_ENDPOINT payloads in connectivity checks.
Tobias Brunner [Thu, 24 Sep 2009 09:28:43 +0000 (11:28 +0200)]
Using the correct type for ME_ENDPOINT payloads in connectivity checks.

11 years agoRight-align short options in pki usage
Martin Willi [Thu, 24 Sep 2009 09:28:31 +0000 (11:28 +0200)]
Right-align short options in pki usage

11 years agocertificate subject DNs are in double quotes
Andreas Steffen [Wed, 23 Sep 2009 20:03:52 +0000 (22:03 +0200)]
certificate subject DNs are in double quotes

11 years agostreamlining of credential loading debug output
Andreas Steffen [Wed, 23 Sep 2009 19:55:48 +0000 (21:55 +0200)]
streamlining of credential loading debug output

11 years agoadded fix of PKCS#7 wrapped certificates to NEWS
Andreas Steffen [Wed, 23 Sep 2009 19:50:56 +0000 (21:50 +0200)]
added fix of PKCS#7 wrapped certificates to NEWS

11 years agoadded and fixed debug output of version information
Andreas Steffen [Wed, 23 Sep 2009 14:21:18 +0000 (16:21 +0200)]
added and fixed debug output of version information

11 years agofixed PKCS#7 wrapped certificate parsing
Andreas Steffen [Wed, 23 Sep 2009 13:51:40 +0000 (15:51 +0200)]
fixed PKCS#7 wrapped certificate parsing

11 years agoUse mysql_config to query MySQL LIBS and CFLAGS
Martin Willi [Wed, 23 Sep 2009 10:45:03 +0000 (12:45 +0200)]
Use mysql_config to query MySQL LIBS and CFLAGS

11 years agoFixed a crash in source address lookup
Martin Willi [Wed, 23 Sep 2009 09:18:30 +0000 (11:18 +0200)]
Fixed a crash in source address lookup

11 years agoDefine ME for all charon plugins
Martin Willi [Wed, 23 Sep 2009 09:13:27 +0000 (11:13 +0200)]
Define ME for all charon plugins

11 years agoCorrectly handle --enable-mediation option
Martin Willi [Wed, 23 Sep 2009 08:49:38 +0000 (10:49 +0200)]
Correctly handle --enable-mediation option

11 years agoenforce coding rules
Andreas Steffen [Tue, 22 Sep 2009 19:50:28 +0000 (21:50 +0200)]
enforce coding rules

11 years agoenforce coding rules
Andreas Steffen [Tue, 22 Sep 2009 18:54:10 +0000 (20:54 +0200)]
enforce coding rules

11 years agoset XFRM_STATE_AF_UNSPEC flag
Andreas Steffen [Tue, 22 Sep 2009 18:00:49 +0000 (20:00 +0200)]
set XFRM_STATE_AF_UNSPEC flag

11 years agoEmit a ALERT_SHUTDOWN_SIGNAL before shutting down the daemon
Martin Willi [Tue, 22 Sep 2009 14:59:25 +0000 (16:59 +0200)]
Emit a ALERT_SHUTDOWN_SIGNAL before shutting down the daemon

11 years agoadding additional flags to loaded X.509 certificates
Andreas Steffen [Tue, 22 Sep 2009 10:55:25 +0000 (12:55 +0200)]
adding additional flags to loaded X.509 certificates

11 years agoreadying NEWS for the strongswan-4.3.5dr2 release
Andreas Steffen [Tue, 22 Sep 2009 10:44:58 +0000 (12:44 +0200)]
readying NEWS for the strongswan-4.3.5dr2 release

11 years agoshortened file loading debug output
Andreas Steffen [Tue, 22 Sep 2009 10:33:13 +0000 (12:33 +0200)]
shortened file loading debug output

11 years agocomputed hash-and-url for new certificates
Andreas Steffen [Tue, 22 Sep 2009 10:05:37 +0000 (12:05 +0200)]
computed hash-and-url for new certificates

11 years agoFixed encoding of hash-and-url cert payload
Martin Willi [Tue, 22 Sep 2009 08:07:04 +0000 (10:07 +0200)]
Fixed encoding of hash-and-url cert payload

11 years agoDo not assign SIM version to a volatile buffer on stack
Martin Willi [Tue, 22 Sep 2009 07:11:35 +0000 (09:11 +0200)]
Do not assign SIM version to a volatile buffer on stack

11 years agoCA certificates are looked up using the subjectPublicKeyInfo keyid
Martin Willi [Mon, 21 Sep 2009 16:13:25 +0000 (18:13 +0200)]
CA certificates are looked up using the subjectPublicKeyInfo keyid

11 years agoCredential backends use has_fingerprint() methods to select keys/certificates
Martin Willi [Mon, 21 Sep 2009 15:03:00 +0000 (17:03 +0200)]
Credential backends use has_fingerprint() methods to select keys/certificates

11 years agoPublic/Private keys implement a has_fingerprint() method
Martin Willi [Mon, 21 Sep 2009 14:47:25 +0000 (16:47 +0200)]
Public/Private keys implement a has_fingerprint() method

11 years agoCorrectly serve certificates if CERT_ANY requested
Martin Willi [Mon, 21 Sep 2009 13:34:29 +0000 (15:34 +0200)]
Correctly serve certificates if CERT_ANY requested

11 years agoEnforce a local address of the same family as remote address
Martin Willi [Mon, 21 Sep 2009 13:19:39 +0000 (15:19 +0200)]
Enforce a local address of the same family as remote address

11 years agoReturn certificates of requested kind only
Martin Willi [Mon, 21 Sep 2009 12:43:57 +0000 (14:43 +0200)]
Return certificates of requested kind only

11 years agoplugin has been renamed to resolve
Andreas Steffen [Sun, 20 Sep 2009 20:03:23 +0000 (22:03 +0200)]
plugin has been renamed to resolve

11 years agodelete resolv_conf_* files
Andreas Steffen [Sun, 20 Sep 2009 19:59:36 +0000 (21:59 +0200)]
delete resolv_conf_* files

11 years agoall arguments must be read
Andreas Steffen [Sun, 20 Sep 2009 19:56:22 +0000 (21:56 +0200)]
all arguments must be read

11 years agoresolv_conf plugin renamed to resolve
Andreas Steffen [Sun, 20 Sep 2009 17:06:58 +0000 (19:06 +0200)]
resolv_conf plugin renamed to resolve

11 years agoadapt evaltest.dat to changed debug output
Andreas Steffen [Sun, 20 Sep 2009 15:23:24 +0000 (17:23 +0200)]
adapt evaltest.dat to changed debug output

11 years agorenewed certs in dynamic-initiator/dynamic-responder scenarios
Andreas Steffen [Sat, 19 Sep 2009 06:18:42 +0000 (08:18 +0200)]
renewed certs in dynamic-initiator/dynamic-responder scenarios

11 years agouse new certificates
Andreas Steffen [Fri, 18 Sep 2009 22:26:55 +0000 (00:26 +0200)]
use new certificates

11 years agoeliminated double library_deinit()
Andreas Steffen [Fri, 18 Sep 2009 22:00:56 +0000 (00:00 +0200)]
eliminated double library_deinit()

11 years agokeyids of renewed keys
Andreas Steffen [Fri, 18 Sep 2009 19:44:57 +0000 (21:44 +0200)]
keyids of renewed keys

11 years agoupdated to renewed certs in SQL database
Andreas Steffen [Fri, 18 Sep 2009 19:22:37 +0000 (21:22 +0200)]
updated to renewed certs in SQL database

11 years agorenewal of end entity certificates
Andreas Steffen [Fri, 18 Sep 2009 19:17:03 +0000 (21:17 +0200)]
renewal of end entity certificates

11 years agofixed --enable-eap-md5 and --enable-eap-gtc options
Andreas Steffen [Fri, 18 Sep 2009 16:23:26 +0000 (18:23 +0200)]
fixed --enable-eap-md5 and --enable-eap-gtc options

11 years agobackwards compatibility with SQL format
Andreas Steffen [Fri, 18 Sep 2009 05:22:07 +0000 (07:22 +0200)]
backwards compatibility with SQL format

11 years agoUse helper functions to handle (non-)skippable attributes
Martin Willi [Fri, 18 Sep 2009 13:08:43 +0000 (15:08 +0200)]
Use helper functions to handle (non-)skippable attributes

11 years agoClients can handle AKA-Identity requests by sending the full identity
Martin Willi [Fri, 18 Sep 2009 12:51:35 +0000 (14:51 +0200)]
Clients can handle AKA-Identity requests by sending the full identity

11 years agonm uses the distributions trusted root CAs if none is explicitly specified
Martin Willi [Fri, 18 Sep 2009 12:29:50 +0000 (14:29 +0200)]
nm uses the distributions trusted root CAs if none is explicitly specified

11 years agosome reformulations
Andreas Steffen [Thu, 17 Sep 2009 20:20:35 +0000 (22:20 +0200)]
some reformulations

11 years agoget_private() in listcacerts requires a valid auth cfg
Martin Willi [Thu, 17 Sep 2009 10:47:03 +0000 (12:47 +0200)]
get_private() in listcacerts requires a valid auth cfg

11 years agoFixed nexthop lookup, used by source route installation
Martin Willi [Wed, 16 Sep 2009 11:55:32 +0000 (13:55 +0200)]
Fixed nexthop lookup, used by source route installation

11 years agoUse continue to advance to next iteration
Martin Willi [Wed, 16 Sep 2009 11:32:47 +0000 (13:32 +0200)]
Use continue to advance to next iteration

11 years agoComplain about missing %defaultroute support only if one is actually used
Martin Willi [Wed, 16 Sep 2009 11:27:49 +0000 (13:27 +0200)]
Complain about missing %defaultroute support only if one is actually used

11 years agoUse the default debug hook if possible
Martin Willi [Wed, 16 Sep 2009 11:16:00 +0000 (13:16 +0200)]
Use the default debug hook if possible

11 years agoDefault logger implementation can be modified by dbg_default_set_level/stream
Martin Willi [Wed, 16 Sep 2009 11:06:16 +0000 (13:06 +0200)]
Default logger implementation can be modified by dbg_default_set_level/stream

11 years agoRemoved obsolete per-command debug level option
Martin Willi [Wed, 16 Sep 2009 10:52:56 +0000 (12:52 +0200)]
Removed obsolete per-command debug level option

11 years agoFixed loading of DER encoded certificate files
Martin Willi [Wed, 16 Sep 2009 09:24:35 +0000 (11:24 +0200)]
Fixed loading of DER encoded certificate files

11 years agocorrected usage
Andreas Steffen [Tue, 15 Sep 2009 20:43:22 +0000 (22:43 +0200)]
corrected usage

11 years agopki --req generates a PKCS#10 certificate request
Andreas Steffen [Tue, 15 Sep 2009 20:33:32 +0000 (22:33 +0200)]
pki --req generates a PKCS#10 certificate request

11 years agoimplemented ASN.1 encoding of PKCS#10 attributes
Andreas Steffen [Tue, 15 Sep 2009 19:55:44 +0000 (21:55 +0200)]
implemented ASN.1 encoding of PKCS#10 attributes

11 years agofixed typo
Andreas Steffen [Tue, 15 Sep 2009 14:48:13 +0000 (16:48 +0200)]
fixed typo

11 years agoDisable rtnetlink defaultroute lookup if pluto is disabled
Martin Willi [Tue, 15 Sep 2009 11:13:45 +0000 (13:13 +0200)]
Disable rtnetlink defaultroute lookup if pluto is disabled

As we do not support Pluto on BSD/Mac, exclude the Linux specific
rtnetlink routing lookup; Charon doesn't require it anyway.

11 years agoGet starter default route via rtnetlink
Heiko Hund [Tue, 8 Sep 2009 09:32:50 +0000 (11:32 +0200)]
Get starter default route via rtnetlink

This patch changes the way routes are fetched from the kernel by starter.

The way it's currently done (via /proc) is limited to routes in the
"main" routing table. Routes from the "default" table are never seen by
starter. Starter may miss the default route even if it's set. Thus, default
routes are now read from the "main" and the "default" table.

The way this code behaves if more than one default route is found is slightly
different to before. Instead of bailing out it just chooses the one with the best
metric. I thought this was be a reasonable change.