strongswan.git
11 years agoSend INITIAL_CONTACT even if we have a unique policy
Martin Willi [Mon, 10 Jan 2011 10:54:10 +0000 (11:54 +0100)]
Send INITIAL_CONTACT even if we have a unique policy

11 years agoimplemented parsing of TNCCS 1.1 messages
Andreas Steffen [Sun, 9 Jan 2011 09:00:54 +0000 (10:00 +0100)]
implemented parsing of TNCCS 1.1 messages

11 years agosend notifyConnectionChange() to IMCs
Andreas Steffen [Sun, 9 Jan 2011 09:00:13 +0000 (10:00 +0100)]
send notifyConnectionChange() to IMCs

11 years agosuiteb directory hasn't been moved to Master yet
Andreas Steffen [Sat, 8 Jan 2011 01:17:14 +0000 (02:17 +0100)]
suiteb directory hasn't been moved to Master yet

11 years agogenerate TNCCS-Error messages
Andreas Steffen [Sat, 8 Jan 2011 01:16:14 +0000 (02:16 +0100)]
generate TNCCS-Error messages

11 years agocreated process() method for TNCCS messages
Andreas Steffen [Sat, 8 Jan 2011 01:15:10 +0000 (02:15 +0100)]
created process() method for TNCCS messages

11 years agoAdded NEWS for ipsec.conf certpolicy and key strength options
Martin Willi [Fri, 7 Jan 2011 14:45:53 +0000 (15:45 +0100)]
Added NEWS for ipsec.conf certpolicy and key strength options

11 years agoAdded support for trustchain key strength checking to rightauth option
Martin Willi [Fri, 7 Jan 2011 14:38:34 +0000 (15:38 +0100)]
Added support for trustchain key strength checking to rightauth option

11 years agoAdded a left/rightcertpolicy keyword to specify certificatePolicy requirements
Martin Willi [Fri, 7 Jan 2011 14:14:41 +0000 (15:14 +0100)]
Added a left/rightcertpolicy keyword to specify certificatePolicy requirements

11 years agoFix nonce comparison in rekey collisions, lowest nonce loses
Martin Willi [Fri, 7 Jan 2011 12:32:28 +0000 (13:32 +0100)]
Fix nonce comparison in rekey collisions, lowest nonce loses

11 years agocorrected naming of tnccs_reason_strings_msg_t object
Andreas Steffen [Fri, 7 Jan 2011 06:18:42 +0000 (07:18 +0100)]
corrected naming of tnccs_reason_strings_msg_t object

11 years agodo not forget to advance node
Andreas Steffen [Fri, 7 Jan 2011 06:17:52 +0000 (07:17 +0100)]
do not forget to advance node

11 years agolibcharon plugins depend on libtls and/or libsimaka
Andreas Steffen [Fri, 7 Jan 2011 05:28:08 +0000 (06:28 +0100)]
libcharon plugins depend on libtls and/or libsimaka

11 years agofixed cert_validator_t:validate interface
Andreas Steffen [Fri, 7 Jan 2011 04:41:01 +0000 (05:41 +0100)]
fixed cert_validator_t:validate interface

11 years agoimplemented TNCCS 1.1 without libtnc
Andreas Steffen [Fri, 7 Jan 2011 04:29:04 +0000 (05:29 +0100)]
implemented TNCCS 1.1 without libtnc

11 years agocompute memory requirement for PEM-encoding correctly
Andreas Steffen [Fri, 7 Jan 2011 04:28:17 +0000 (05:28 +0100)]
compute memory requirement for PEM-encoding correctly

11 years agoAdded delta CRL NEWS
Martin Willi [Wed, 5 Jan 2011 17:20:11 +0000 (18:20 +0100)]
Added delta CRL NEWS

11 years agoAdded constraints plugin NEWS
Martin Willi [Wed, 5 Jan 2011 17:15:44 +0000 (18:15 +0100)]
Added constraints plugin NEWS

11 years agoAdded conftest NEWS
Martin Willi [Wed, 5 Jan 2011 17:09:49 +0000 (18:09 +0100)]
Added conftest NEWS

11 years agoAdded NEWS about INITIAL_CONTACT support
Martin Willi [Wed, 5 Jan 2011 17:05:09 +0000 (18:05 +0100)]
Added NEWS about INITIAL_CONTACT support

11 years agoDestroy existing IKE_SAs with same identities when receiving INITIAL_CONTACT
Martin Willi [Wed, 5 Jan 2011 15:44:01 +0000 (16:44 +0100)]
Destroy existing IKE_SAs with same identities when receiving INITIAL_CONTACT

11 years agoSend INITIAL_CONTACT for the first IKE_SA if it has a unique policy
Martin Willi [Wed, 5 Jan 2011 14:58:38 +0000 (15:58 +0100)]
Send INITIAL_CONTACT for the first IKE_SA if it has a unique policy

11 years agoMigrated ike_sa_manager_t to INIT/METHOD macros, some cleanups
Martin Willi [Wed, 5 Jan 2011 14:15:34 +0000 (15:15 +0100)]
Migrated ike_sa_manager_t to INIT/METHOD macros, some cleanups

11 years agoAdded option to use a different key when rebuilding AUTH
Martin Willi [Thu, 23 Dec 2010 14:40:09 +0000 (15:40 +0100)]
Added option to use a different key when rebuilding AUTH

11 years agoDo not print empty DN identities as invalid
Martin Willi [Thu, 23 Dec 2010 14:22:32 +0000 (15:22 +0100)]
Do not print empty DN identities as invalid

11 years agoAdded support for empty subjects DNs to pki --issue
Martin Willi [Thu, 23 Dec 2010 14:21:52 +0000 (15:21 +0100)]
Added support for empty subjects DNs to pki --issue

11 years agoAdded support for OCSP responder URIs to conftest
Martin Willi [Thu, 23 Dec 2010 14:00:34 +0000 (15:00 +0100)]
Added support for OCSP responder URIs to conftest

11 years agoAdded support for delta CRL checking to revocation plugin
Martin Willi [Thu, 23 Dec 2010 13:51:00 +0000 (14:51 +0100)]
Added support for delta CRL checking to revocation plugin

11 years agoUse incremented serial of base CRL when signing delta CRL
Martin Willi [Thu, 23 Dec 2010 13:50:04 +0000 (14:50 +0100)]
Use incremented serial of base CRL when signing delta CRL

11 years agoShow base CRL of delta CRLs in listcrls
Martin Willi [Thu, 23 Dec 2010 13:40:37 +0000 (14:40 +0100)]
Show base CRL of delta CRLs in listcrls

11 years agoVerify trustchain for each candidate certificate only once
Martin Willi [Thu, 23 Dec 2010 13:36:20 +0000 (14:36 +0100)]
Verify trustchain for each candidate certificate only once

11 years agoProvide CRLs received in CERT payloads to trustchain verification
Martin Willi [Thu, 23 Dec 2010 11:18:15 +0000 (12:18 +0100)]
Provide CRLs received in CERT payloads to trustchain verification

11 years agoAdded an AUTH_HELPER for revocation certificates
Martin Willi [Thu, 23 Dec 2010 11:17:49 +0000 (12:17 +0100)]
Added an AUTH_HELPER for revocation certificates

11 years agoAdded support for CDPs to conftest
Martin Willi [Thu, 23 Dec 2010 10:54:17 +0000 (11:54 +0100)]
Added support for CDPs to conftest

11 years agoAdded CDP support to mem_cred
Martin Willi [Thu, 23 Dec 2010 10:54:01 +0000 (11:54 +0100)]
Added CDP support to mem_cred

11 years agoCheck for issuer only if we actually got a CRL
Martin Willi [Thu, 23 Dec 2010 10:44:36 +0000 (11:44 +0100)]
Check for issuer only if we actually got a CRL

11 years agoUpdated conftest README
Martin Willi [Wed, 22 Dec 2010 17:00:11 +0000 (18:00 +0100)]
Updated conftest README

11 years agoAdded support for custom file loggers, loglevel settings
Martin Willi [Wed, 22 Dec 2010 16:19:28 +0000 (17:19 +0100)]
Added support for custom file loggers, loglevel settings

11 years agoCheck inhibitAnyPolicy in constraints plugin
Martin Willi [Wed, 22 Dec 2010 15:08:20 +0000 (16:08 +0100)]
Check inhibitAnyPolicy in constraints plugin

11 years agoSlightly renamed different policyConstraints to distinguish them better
Martin Willi [Wed, 22 Dec 2010 14:58:00 +0000 (15:58 +0100)]
Slightly renamed different policyConstraints to distinguish them better

11 years agoAdded inhibitAnyPolicy constraint support to pki tool
Martin Willi [Wed, 22 Dec 2010 14:52:19 +0000 (15:52 +0100)]
Added inhibitAnyPolicy constraint support to pki tool

11 years agoAdded support for inhibitAnyPolicy constraint to x509 plugin
Martin Willi [Wed, 22 Dec 2010 14:52:02 +0000 (15:52 +0100)]
Added support for inhibitAnyPolicy constraint to x509 plugin

11 years agoUse a generic getter for all numerical X.509 constraints
Martin Willi [Wed, 22 Dec 2010 14:10:03 +0000 (15:10 +0100)]
Use a generic getter for all numerical X.509 constraints

11 years agoCheck inhibitPolicyMapping in constraints plugin
Martin Willi [Wed, 22 Dec 2010 13:53:46 +0000 (14:53 +0100)]
Check inhibitPolicyMapping in constraints plugin

11 years agoCheck requireExplicitPolicy in constraints plugin
Martin Willi [Wed, 22 Dec 2010 09:38:06 +0000 (10:38 +0100)]
Check requireExplicitPolicy in constraints plugin

11 years agoInclude subject cert to temporary auth info before completing trustchain
Martin Willi [Wed, 22 Dec 2010 10:49:16 +0000 (11:49 +0100)]
Include subject cert to temporary auth info before completing trustchain

11 years agoFail silently when trying to convert IPv6 address to v4 family host
Martin Willi [Wed, 22 Dec 2010 10:42:44 +0000 (11:42 +0100)]
Fail silently when trying to convert IPv6 address to v4 family host

11 years agoPass an additional anchor flag to validate() hook if we reach the root CA
Martin Willi [Wed, 22 Dec 2010 09:43:06 +0000 (10:43 +0100)]
Pass an additional anchor flag to validate() hook if we reach the root CA

11 years agoAlways pass auth info to validate(), use pathlen to check for user certificate
Martin Willi [Wed, 22 Dec 2010 09:34:58 +0000 (10:34 +0100)]
Always pass auth info to validate(), use pathlen to check for user certificate

11 years agoMerge test config into suite config, instead of having two distinct configs
Martin Willi [Mon, 20 Dec 2010 14:49:00 +0000 (15:49 +0100)]
Merge test config into suite config, instead of having two distinct configs

11 years agoAdded support for delta CRLs to pki tool
Martin Willi [Fri, 17 Dec 2010 16:00:32 +0000 (17:00 +0100)]
Added support for delta CRLs to pki tool

11 years agoAdded support for delta CRLs to x509 plugin
Martin Willi [Fri, 17 Dec 2010 15:53:00 +0000 (16:53 +0100)]
Added support for delta CRLs to x509 plugin

11 years agoMoved CRL distribution point building to an exportable function
Martin Willi [Fri, 17 Dec 2010 15:52:04 +0000 (16:52 +0100)]
Moved CRL distribution point building to an exportable function

11 years agoSimplified format of x509 CRL URI parsing/enumerator
Martin Willi [Fri, 17 Dec 2010 14:52:15 +0000 (15:52 +0100)]
Simplified format of x509 CRL URI parsing/enumerator

11 years agoFail on critical extensions in openssl CRLs
Martin Willi [Fri, 17 Dec 2010 10:40:01 +0000 (11:40 +0100)]
Fail on critical extensions in openssl CRLs

11 years agoRespect enforce_critical setting in x509 plugin CRLs
Martin Willi [Fri, 17 Dec 2010 10:38:04 +0000 (11:38 +0100)]
Respect enforce_critical setting in x509 plugin CRLs

11 years agoParse CRL extensions in a switch statement
Martin Willi [Fri, 17 Dec 2010 10:36:15 +0000 (11:36 +0100)]
Parse CRL extensions in a switch statement

11 years agoRespect policy mappings in certificatePolicy validation
Martin Willi [Thu, 16 Dec 2010 15:44:33 +0000 (16:44 +0100)]
Respect policy mappings in certificatePolicy validation

11 years agoAdded a cert_policy option to conftest configurations
Martin Willi [Thu, 16 Dec 2010 15:18:11 +0000 (16:18 +0100)]
Added a cert_policy option to conftest configurations

11 years agoValidate simple certificatePolicy inheritance
Martin Willi [Thu, 16 Dec 2010 10:24:52 +0000 (11:24 +0100)]
Validate simple certificatePolicy inheritance

11 years agoAdded a certificate policy OID auth_cfg constraint
Martin Willi [Thu, 16 Dec 2010 10:25:32 +0000 (11:25 +0100)]
Added a certificate policy OID auth_cfg constraint

11 years agoAdded policyConstraints support to pki tool
Martin Willi [Wed, 15 Dec 2010 16:46:04 +0000 (17:46 +0100)]
Added policyConstraints support to pki tool

11 years agoAdded support for policyConstraints to x509 plugin
Martin Willi [Wed, 15 Dec 2010 16:45:32 +0000 (17:45 +0100)]
Added support for policyConstraints to x509 plugin

11 years agoSlightly renamed X509_NO_PATH_LEN_CONSTRAINT to use it for PolicyConstraints, too
Martin Willi [Wed, 15 Dec 2010 15:42:30 +0000 (16:42 +0100)]
Slightly renamed X509_NO_PATH_LEN_CONSTRAINT to use it for PolicyConstraints, too

11 years agoAdded policyMappings support to pki tool
Martin Willi [Wed, 15 Dec 2010 14:30:09 +0000 (14:30 +0000)]
Added policyMappings support to pki tool

11 years agoAdded policyMappings support to x509 plugin
Martin Willi [Wed, 15 Dec 2010 14:29:25 +0000 (14:29 +0000)]
Added policyMappings support to x509 plugin

11 years agoAdded policyMappings OID identifier
Martin Willi [Wed, 15 Dec 2010 14:28:31 +0000 (14:28 +0000)]
Added policyMappings OID identifier

11 years agoAdded certificatePolicy options to pki tool
Martin Willi [Wed, 15 Dec 2010 13:31:04 +0000 (14:31 +0100)]
Added certificatePolicy options to pki tool

11 years agoAdded certificatePolicy support to x509 plugin
Martin Willi [Wed, 15 Dec 2010 13:08:20 +0000 (14:08 +0100)]
Added certificatePolicy support to x509 plugin

11 years agoAdded a null-safe strdup variant
Martin Willi [Wed, 15 Dec 2010 11:15:12 +0000 (12:15 +0100)]
Added a null-safe strdup variant

11 years agoFail when parsing unsupported critical extensions in openssl_x509
Martin Willi [Tue, 14 Dec 2010 16:34:34 +0000 (17:34 +0100)]
Fail when parsing unsupported critical extensions in openssl_x509

11 years agoAdded CertificatePolicy OID identifier
Martin Willi [Tue, 14 Dec 2010 16:34:02 +0000 (17:34 +0100)]
Added CertificatePolicy OID identifier

11 years agoAdded command line tool for OID to DER conversion function
Martin Willi [Tue, 14 Dec 2010 13:49:17 +0000 (14:49 +0100)]
Added command line tool for OID to DER conversion function

11 years agoAdded conversion functions between string OIDs and its DER encoding
Martin Willi [Tue, 14 Dec 2010 13:47:44 +0000 (14:47 +0100)]
Added conversion functions between string OIDs and its DER encoding

11 years agoDo not parse certificates with invalid version in openssl plugin
Martin Willi [Mon, 13 Dec 2010 13:22:00 +0000 (14:22 +0100)]
Do not parse certificates with invalid version in openssl plugin

11 years agoImplemented NameConstraint matching in constraints plugin
Martin Willi [Thu, 9 Dec 2010 15:39:07 +0000 (16:39 +0100)]
Implemented NameConstraint matching in constraints plugin

11 years agopki --issue/self support permitted/excluded NameConstraints
Martin Willi [Thu, 9 Dec 2010 15:29:22 +0000 (16:29 +0100)]
pki --issue/self support permitted/excluded NameConstraints

11 years agopki --print prints NameConstraints
Martin Willi [Thu, 9 Dec 2010 12:34:17 +0000 (13:34 +0100)]
pki --print prints NameConstraints

11 years agoAdded support for generating NameConstraints in x509 plugin
Martin Willi [Thu, 9 Dec 2010 12:33:43 +0000 (13:33 +0100)]
Added support for generating NameConstraints in x509 plugin

11 years agoAdded support for parsing NameConstraints in x509 plugin
Martin Willi [Thu, 9 Dec 2010 12:33:07 +0000 (13:33 +0100)]
Added support for parsing NameConstraints in x509 plugin

11 years agoAdded name constraint enumerator to x509 interface
Martin Willi [Thu, 9 Dec 2010 10:50:50 +0000 (11:50 +0100)]
Added name constraint enumerator to x509 interface

11 years agoMigrated x509_cert_t to INIT/METHOD macros
Martin Willi [Thu, 9 Dec 2010 10:44:31 +0000 (11:44 +0100)]
Migrated x509_cert_t to INIT/METHOD macros

11 years agoMoved X509 pathlen constraint checking to constraints plugin
Martin Willi [Thu, 9 Dec 2010 09:46:48 +0000 (10:46 +0100)]
Moved X509 pathlen constraint checking to constraints plugin

11 years agoAdded plugin stub for advanced X509 constraint checking
Martin Willi [Thu, 9 Dec 2010 09:41:54 +0000 (09:41 +0000)]
Added plugin stub for advanced X509 constraint checking

11 years agoAdded a hook to reset ESP sequence numbers
Martin Willi [Fri, 10 Dec 2010 17:18:24 +0000 (18:18 +0100)]
Added a hook to reset ESP sequence numbers

11 years agoAccept a suffix to differentiate x509, crl, ecdsa and rsa files
Martin Willi [Fri, 10 Dec 2010 13:33:28 +0000 (14:33 +0100)]
Accept a suffix to differentiate x509, crl, ecdsa and rsa files

11 years agoUse strncaseeq instead of strncasecmp
Martin Willi [Fri, 10 Dec 2010 13:25:19 +0000 (14:25 +0100)]
Use strncaseeq instead of strncasecmp

11 years agoAdded a strncaseeq variant to the string comparison macros
Martin Willi [Fri, 10 Dec 2010 13:22:18 +0000 (14:22 +0100)]
Added a strncaseeq variant to the string comparison macros

11 years agoAdded tfc_padding option, changes signature to master changes
Martin Willi [Fri, 10 Dec 2010 10:29:39 +0000 (11:29 +0100)]
Added tfc_padding option, changes signature to master changes

11 years agoCRL/OCSP validation stores trustchain information in auth_cfg
Martin Willi [Tue, 7 Dec 2010 16:53:13 +0000 (17:53 +0100)]
CRL/OCSP validation stores trustchain information in auth_cfg

11 years agoKey strength checking stores all key sizes in auth_cfg, verifies all in complies()
Martin Willi [Tue, 7 Dec 2010 16:48:23 +0000 (17:48 +0100)]
Key strength checking stores all key sizes in auth_cfg, verifies all in complies()

11 years agoInstall "ipsec" script with tools or conftest
Martin Willi [Mon, 6 Dec 2010 09:36:51 +0000 (10:36 +0100)]
Install "ipsec" script with tools or conftest

11 years agoUse subject, not issuer, of CRL issuing certificate
Martin Willi [Fri, 3 Dec 2010 13:29:03 +0000 (14:29 +0100)]
Use subject, not issuer, of CRL issuing certificate

11 years agoCRLSign keyUsage or CA basicConstraint are sufficient for CRL validation
Martin Willi [Fri, 3 Dec 2010 12:51:51 +0000 (13:51 +0100)]
CRLSign keyUsage or CA basicConstraint are sufficient for CRL validation

11 years agoParse and encode crlSign keyUsage flag in x509 plugin
Martin Willi [Fri, 3 Dec 2010 12:26:38 +0000 (13:26 +0100)]
Parse and encode crlSign keyUsage flag in x509 plugin

11 years agopki tool shows and builds crlSign keyUsage
Martin Willi [Fri, 3 Dec 2010 12:25:45 +0000 (13:25 +0100)]
pki tool shows and builds crlSign keyUsage

11 years agoAdded a flag for X509 CRLSign keyUsage
Martin Willi [Fri, 3 Dec 2010 12:24:49 +0000 (13:24 +0100)]
Added a flag for X509 CRLSign keyUsage

11 years agoRemove x509_flag_names, flags do not work with ENUM()
Martin Willi [Fri, 3 Dec 2010 12:23:59 +0000 (13:23 +0100)]
Remove x509_flag_names, flags do not work with ENUM()

11 years agoUse certificate CRLIssuer information to look up cacched CRLs or CDPs
Martin Willi [Thu, 2 Dec 2010 14:38:44 +0000 (15:38 +0100)]
Use certificate CRLIssuer information to look up cacched CRLs or CDPs

11 years agoAdded --crlissuer option to pki --issue
Martin Willi [Thu, 2 Dec 2010 14:37:28 +0000 (15:37 +0100)]
Added --crlissuer option to pki --issue