8 years agoikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs
Martin Willi [Thu, 20 Feb 2014 15:08:43 +0000 (16:08 +0100)]
ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs

Prevents a responder peer to trick us into established state by starting
IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH.

Fixes CVE-2014-2338.

8 years agoeap-mschapv2: Fix potential leaks in case of invalid messages from servers
Tobias Brunner [Wed, 9 Apr 2014 16:04:33 +0000 (18:04 +0200)]
eap-mschapv2: Fix potential leaks in case of invalid messages from servers

8 years agopts: Make sure the complete AIK blob has been read
Tobias Brunner [Wed, 9 Apr 2014 15:47:32 +0000 (17:47 +0200)]
pts: Make sure the complete AIK blob has been read

8 years agoattr: Don't shift the 32-bit netmask by 32
Tobias Brunner [Wed, 9 Apr 2014 15:09:55 +0000 (17:09 +0200)]
attr: Don't shift the 32-bit netmask by 32

This is undefined behavior as per the C99 standard (sentence 1185):

 "If the value of the right operand is negative or is greater or equal
  to the width of the promoted left operand, the behavior is undefined."

Apparently shifts may be done modulo the width on some platforms so
a shift by 32 would not shift at all.

8 years agonm: Fix NULL-pointer dereference when handling TUN device failure
Tobias Brunner [Wed, 9 Apr 2014 14:35:46 +0000 (16:35 +0200)]
nm: Fix NULL-pointer dereference when handling TUN device failure

8 years agox509: Don't include authKeyIdentifier in self-signed certificates
Tobias Brunner [Wed, 9 Apr 2014 13:28:54 +0000 (15:28 +0200)]
x509: Don't include authKeyIdentifier in self-signed certificates

As the comment indicates this was the intention in
d7be2906433a7dcfefc1fd732587865688dbfe1b all along.

8 years agox509: Initialize certs when building optionalSignature for OCSP requests
Tobias Brunner [Wed, 9 Apr 2014 13:18:13 +0000 (15:18 +0200)]
x509: Initialize certs when building optionalSignature for OCSP requests

8 years agostroke: Fix memory leak when printing unknown AC group OIDs
Tobias Brunner [Wed, 9 Apr 2014 14:05:55 +0000 (16:05 +0200)]
stroke: Fix memory leak when printing unknown AC group OIDs

8 years agopki: Fix memory leak when printing unknown AC group OIDs
Tobias Brunner [Wed, 9 Apr 2014 13:53:35 +0000 (15:53 +0200)]
pki: Fix memory leak when printing unknown AC group OIDs

8 years agopki: Removed extra continue statement
Tobias Brunner [Wed, 9 Apr 2014 13:12:27 +0000 (15:12 +0200)]
pki: Removed extra continue statement

8 years agoAdded support for msSmartcardLogon EKU
Andreas Steffen [Tue, 8 Apr 2014 11:09:03 +0000 (13:09 +0200)]
Added support for msSmartcardLogon EKU

8 years agoAdded some more OIDs
Andreas Steffen [Tue, 8 Apr 2014 09:32:30 +0000 (11:32 +0200)]
Added some more OIDs

8 years agoInitialize m1 to suppress compiler warning
Andreas Steffen [Mon, 7 Apr 2014 11:29:39 +0000 (13:29 +0200)]
Initialize m1 to suppress compiler warning

8 years agoFixed another dirname/basename refactoring bug.
Andreas Steffen [Sun, 6 Apr 2014 15:54:55 +0000 (17:54 +0200)]
Fixed another dirname/basename refactoring bug.

file was freed before use.

8 years agoFixed dirname/basename refactoring bug.
Andreas Steffen [Sun, 6 Apr 2014 15:26:52 +0000 (17:26 +0200)]
Fixed dirname/basename refactoring bug.

 Variables used in a database query have to be kept until the end of the enumeration

8 years agoAdded SHA3 OIDs
Andreas Steffen [Fri, 4 Apr 2014 21:44:55 +0000 (23:44 +0200)]
Added SHA3 OIDs

8 years agoFixed pretest script in tnc/tnccs-20-pt-tls scenario
Andreas Steffen [Fri, 4 Apr 2014 21:04:54 +0000 (23:04 +0200)]
Fixed pretest script in tnc/tnccs-20-pt-tls scenario

8 years agoike-cfg: Properly compare IKE proposals for equality 5.1.3rc1
Tobias Brunner [Wed, 2 Apr 2014 13:06:56 +0000 (15:06 +0200)]
ike-cfg: Properly compare IKE proposals for equality

8 years agoleak-detective: LEAK_DETECTIVE_DISABLE completely disables LD
Tobias Brunner [Tue, 1 Apr 2014 08:30:13 +0000 (10:30 +0200)]
leak-detective: LEAK_DETECTIVE_DISABLE completely disables LD

If lib->leak_detective is non-null some code parts (e.g. the plugin
loader) assume LD is actually used.

8 years agotesting: Run 'conntrack -F' before all test scenarios
Tobias Brunner [Tue, 2 Jul 2013 12:01:38 +0000 (14:01 +0200)]
testing: Run 'conntrack -F' before all test scenarios

This prevents failures due to remaining conntrack entries.

8 years agounit-tests: Verify two bytes at once when testing chunk_clear()
Tobias Brunner [Wed, 2 Apr 2014 09:50:11 +0000 (11:50 +0200)]
unit-tests: Verify two bytes at once when testing chunk_clear()

This reduces the chances of arbitrary test failures if the memory area
already got overwritten.

8 years agoMerge branch 'tls-unit-tests'
Martin Willi [Tue, 1 Apr 2014 12:53:28 +0000 (14:53 +0200)]
Merge branch 'tls-unit-tests'

Add some initial unit-tests to libtls, testing all supported cipher suites
against self, both with and without client authentication, for all supported
TLS versions.

8 years agotls: Add a test case to check correct enum name mapping of cipher suites
Martin Willi [Tue, 25 Mar 2014 08:25:14 +0000 (09:25 +0100)]
tls: Add a test case to check correct enum name mapping of cipher suites

8 years agotls: Add socket based tests testing all supported suites with TLS 1.2/1.1/1.0
Martin Willi [Mon, 24 Mar 2014 17:01:00 +0000 (18:01 +0100)]
tls: Add socket based tests testing all supported suites with TLS 1.2/1.1/1.0

8 years agotls: Remove superfluous initializers in TLS AEAD implementations
Martin Willi [Tue, 1 Apr 2014 09:45:45 +0000 (11:45 +0200)]
tls: Remove superfluous initializers in TLS AEAD implementations

8 years agotls: Support a maximum TLS version to negotiate using TLS socket abstraction
Martin Willi [Tue, 25 Mar 2014 09:12:51 +0000 (10:12 +0100)]
tls: Support a maximum TLS version to negotiate using TLS socket abstraction

8 years agotls: Support a null encryption flag on TLS socket abstraction
Martin Willi [Tue, 25 Mar 2014 09:19:41 +0000 (10:19 +0100)]
tls: Support a null encryption flag on TLS socket abstraction

8 years agotls: Introduce a generic TLS purpose that accepts NULL encryption ciphers
Martin Willi [Tue, 25 Mar 2014 08:49:04 +0000 (09:49 +0100)]
tls: Introduce a generic TLS purpose that accepts NULL encryption ciphers

8 years agotls: Export a function to list supported TLS cipher suites
Martin Willi [Mon, 24 Mar 2014 13:28:50 +0000 (14:28 +0100)]
tls: Export a function to list supported TLS cipher suites

8 years agotls: Create a unit-test runner
Martin Willi [Mon, 24 Mar 2014 12:47:03 +0000 (13:47 +0100)]
tls: Create a unit-test runner

8 years agounit-tests: Catch timeouts during test runner deinit function
Martin Willi [Tue, 25 Mar 2014 13:14:37 +0000 (14:14 +0100)]
unit-tests: Catch timeouts during test runner deinit function

The test runner deinit function often cancels all threads from the pool. This
operation might hang on error conditions, hence we should include that hook in
the test timeout to fail properly.

8 years agounit-tests: Prevent a failing worker thread to go wild after it fails
Martin Willi [Mon, 24 Mar 2014 16:17:50 +0000 (17:17 +0100)]
unit-tests: Prevent a failing worker thread to go wild after it fails

A worker raises SIGUSR1 to inform the main thread that the test fails. The main
thread then starts cancelling workers, but the offending thread should be
terminated immediately to prevent it from test continuation.

8 years agoTest TLS AEAD cipher suites
Andreas Steffen [Tue, 1 Apr 2014 08:12:15 +0000 (10:12 +0200)]
Test TLS AEAD cipher suites

8 years agoAdded Ubuntu 14.04 to IMV database
Andreas Steffen [Mon, 31 Mar 2014 20:22:51 +0000 (22:22 +0200)]
Added Ubuntu 14.04 to IMV database

8 years agoSlightly edited evaltest of ikev2/ocsp-untrusted-cert scenario
Andreas Steffen [Mon, 31 Mar 2014 20:08:50 +0000 (22:08 +0200)]
Slightly edited evaltest of ikev2/ocsp-untrusted-cert scenario

8 years agounit-tests: Always load address of testable functions
Tobias Brunner [Mon, 31 Mar 2014 14:58:46 +0000 (16:58 +0200)]
unit-tests: Always load address of testable functions

The addresses can actually change as plugins are loaded/unloaded for
each test case.

Fixes #551.

8 years agosettings: Reduce log verbosity if strongswan.conf does not exist
Tobias Brunner [Mon, 31 Mar 2014 12:47:00 +0000 (14:47 +0200)]
settings: Reduce log verbosity if strongswan.conf does not exist

In some situations we expect strongswan.conf to not exist, for instance,
when running the unit tests before installation.

8 years agotest-vectors: Renumber AES-GCM test vectors according to original source
Tobias Brunner [Thu, 13 Mar 2014 13:05:29 +0000 (14:05 +0100)]
test-vectors: Renumber AES-GCM test vectors according to original source

Also adds several missing ones.

8 years agoMerge branch 'tls-aead'
Martin Willi [Mon, 31 Mar 2014 14:17:57 +0000 (16:17 +0200)]
Merge branch 'tls-aead'

Adds AEAD support to the TLS stack, currently supporting AES-GCM. Brings fixes
for TLS record fragmentation, enforcing TLS versions < 1.2 and proper signature
scheme support indication.

8 years agoNEWS: Note TLS AEAD mode
Martin Willi [Mon, 31 Mar 2014 14:17:15 +0000 (16:17 +0200)]
NEWS: Note TLS AEAD mode

8 years agotls: Fix some TLS cipher suite enum names
Martin Willi [Tue, 25 Mar 2014 08:20:15 +0000 (09:20 +0100)]
tls: Fix some TLS cipher suite enum names

It is important to have them mapped correctly, as we use these official TLS
identifiers to configure specific TLS suites.

8 years agotls: Include TLS version announced in Client Hello in encrypted premaster
Martin Willi [Tue, 25 Mar 2014 09:50:51 +0000 (10:50 +0100)]
tls: Include TLS version announced in Client Hello in encrypted premaster

While a hardcoded 1.2 version is fine when we offer that in Client Hello, we
should include the actually offered version if it has been reduced before
starting the exchange.

8 years agotls: Check for minimal TLS record length before each record iteration
Martin Willi [Fri, 21 Mar 2014 08:29:44 +0000 (09:29 +0100)]
tls: Check for minimal TLS record length before each record iteration

Fixes fragment reassembling if a buffer contains more than one record, but
the last record contains a partial TLS record header. Thanks to Nick Saunders
and Jamil Nimeh for identifying this issue and providing a fix for it.

8 years agotls: Fix AEAD algorithm filtering, avoid filtering all suites if no AEAD found
Martin Willi [Tue, 11 Mar 2014 09:57:18 +0000 (10:57 +0100)]
tls: Fix AEAD algorithm filtering, avoid filtering all suites if no AEAD found

8 years agotls: Offer TLS signature schemes in ClientHello in order of preference
Martin Willi [Wed, 15 Jan 2014 14:51:03 +0000 (15:51 +0100)]
tls: Offer TLS signature schemes in ClientHello in order of preference

Additionally, we now query plugin features to find out what schemes we exactly

8 years agotls: Define AES-GCM cipher suites from RFC 5288/5289
Martin Willi [Mon, 3 Feb 2014 17:08:11 +0000 (18:08 +0100)]
tls: Define AES-GCM cipher suites from RFC 5288/5289

8 years agotls: Implement the TLS AEAD abstraction for real AEAD modes
Martin Willi [Mon, 3 Feb 2014 17:03:41 +0000 (18:03 +0100)]
tls: Implement the TLS AEAD abstraction for real AEAD modes

8 years agotls: Separate TLS protection to abstracted AEAD modes
Martin Willi [Mon, 3 Feb 2014 12:20:46 +0000 (13:20 +0100)]
tls: Separate TLS protection to abstracted AEAD modes

To better separate the code path for different TLS versions and modes of
operation, we introduce a TLS AEAD abstraction. We provide three implementations
using traditional transforms, and get prepared for TLS AEAD modes.

8 years agoaead: Support custom AEAD salt sizes
Martin Willi [Fri, 31 Jan 2014 14:53:38 +0000 (15:53 +0100)]
aead: Support custom AEAD salt sizes

The salt, or often called implicit nonce, varies between AEAD algorithms and
their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses
3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM.

Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine
until we go for CCM mode support in TLS, which requires 4 byte nonces.

8 years agoikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeying
Martin Willi [Thu, 27 Feb 2014 08:36:46 +0000 (09:36 +0100)]
ikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeying

Works around issues related to system time changes and kernel backends using
that system time, such as Linux XFRM.

8 years agorevocation: Log error if no OCSP signer candidate found
Martin Willi [Mon, 31 Mar 2014 12:53:15 +0000 (14:53 +0200)]
revocation: Log error if no OCSP signer candidate found

Fixes evaluation of ikev2/ocsp-untrusted-cert.

8 years agoMerge branch 'ocsp-constraints'
Martin Willi [Mon, 31 Mar 2014 12:44:50 +0000 (14:44 +0200)]
Merge branch 'ocsp-constraints'

Limits cached OCSP verification to responses signed by the CA, a directly
delegated signer or a pre-installed OCSP responder certificate. Disables
auth config merge for revocation trust-chain strength checkin, as it breaks
CA constraints in some scenarios.

8 years agorevocation: Restrict OCSP signing to specific certificates
Martin Willi [Tue, 25 Mar 2014 13:34:58 +0000 (14:34 +0100)]
revocation: Restrict OCSP signing to specific certificates

To avoid considering each cached OCSP response and evaluating its trustchain,
we limit the certificates considered for OCSP signing to:

- The issuing CA of the checked certificate
- A directly delegated signer by the same CA, having the OCSP signer constraint
- Any locally installed (trusted) certificate having the OCSP signer constraint

The first two options cover the requirements from RFC 6960 2.6. For
compatibility with non-conforming CAs, we allow the third option as exception,
but require the installation of such certificates locally.

8 years agorevocation: Don't merge auth config of CLR/OCSP trustchain validation
Martin Willi [Thu, 27 Mar 2014 09:59:29 +0000 (10:59 +0100)]
revocation: Don't merge auth config of CLR/OCSP trustchain validation

This behavior was introduced with 6840a6fb to avoid key/signature strength
checking for the revocation trustchain as we do it for end entity certificates.
Unfortunately this breaks CA constraint checking under certain conditions, as
we merge additional intermediate/CA certificates to the auth config.

As key/signature strength checking of the revocation trustchain is a rather
exotic requirement we drop support for that to properly enforce CA constraints.

8 years agohashtable: Make key arguments const
Tobias Brunner [Thu, 27 Mar 2014 10:57:54 +0000 (11:57 +0100)]
hashtable: Make key arguments const

This allows using const strings etc. for lookups without cast. And keys
are not modifiable anyway.

8 years agoProperly hash pointers for hash tables where appropriate
Tobias Brunner [Thu, 27 Mar 2014 10:37:16 +0000 (11:37 +0100)]
Properly hash pointers for hash tables where appropriate

Simply using the pointer is not optimal for our hash table
implementation, which simply masks the key to determine the bucket.

8 years agokernel-pfroute: Let get_nexthop() default to destination address
Tobias Brunner [Tue, 11 Mar 2014 14:19:33 +0000 (15:19 +0100)]
kernel-pfroute: Let get_nexthop() default to destination address

8 years agox509: CERT_DECODE actually requires KEY_ANY
Tobias Brunner [Thu, 6 Mar 2014 11:20:55 +0000 (12:20 +0100)]
x509: CERT_DECODE actually requires KEY_ANY

More specific decoders might still be needed, but the x509
plugin should not care which ones.

8 years agopkcs1: KEY_ANY public key decoder soft depends on specific decoders
Tobias Brunner [Thu, 6 Mar 2014 11:20:05 +0000 (12:20 +0100)]
pkcs1: KEY_ANY public key decoder soft depends on specific decoders

8 years agoeap-radius: Add option to not close IKE_SAs on timeouts during interim accouting...
Tobias Brunner [Wed, 5 Mar 2014 14:17:25 +0000 (15:17 +0100)]
eap-radius: Add option to not close IKE_SAs on timeouts during interim accouting updates

Fixes #528.

8 years agoikev1: Accept SPI size of any length <= 16 in ISAKMP proposal
Tobias Brunner [Mon, 3 Mar 2014 13:03:46 +0000 (14:03 +0100)]
ikev1: Accept SPI size of any length <= 16 in ISAKMP proposal

Fixes #533.

8 years agoproposal: Don't fail DH proposal matching if peer includes NONE
Tobias Brunner [Fri, 28 Feb 2014 14:27:52 +0000 (15:27 +0100)]
proposal: Don't fail DH proposal matching if peer includes NONE

The DH transform is optional for ESP/AH proposals. The initiator can
include NONE (0) in its proposal to indicate that while it prefers to
do a DH exchange, the responder may still decide to not do so.

Fixes #532.

8 years agoconf: Order settings in man page alphabetically
Tobias Brunner [Sat, 1 Mar 2014 16:01:53 +0000 (17:01 +0100)]
conf: Order settings in man page alphabetically

For the config snippets the options are now explicitly ordered before

8 years agoMerge branch 'acerts'
Martin Willi [Mon, 31 Mar 2014 10:11:04 +0000 (12:11 +0200)]
Merge branch 'acerts'

(Re-)Introduces X.509 Attribute Certificate support in IKE, and cleans up the
x509 AC parser/generator. ACs may be stored locally or exchanged in IKEv2
CERT payloads, Attribute Authorities must be installed locally. pki --acert
issues Attribute Certificates and replaces the removed openac utility.

8 years agoNEWS: Add acert and pki changes for 5.1.3
Martin Willi [Mon, 31 Mar 2014 09:23:22 +0000 (11:23 +0200)]
NEWS: Add acert and pki changes for 5.1.3

8 years agoopenac: Remove obsolete openac utility
Martin Willi [Mon, 31 Mar 2014 09:30:51 +0000 (11:30 +0200)]
openac: Remove obsolete openac utility

The same functionality is now provided by the pki --acert subcommand.

8 years agopki: Document --not-before/after and --dateform options in manpages
Martin Willi [Thu, 27 Mar 2014 15:12:29 +0000 (16:12 +0100)]
pki: Document --not-before/after and --dateform options in manpages

8 years agopki: Support absolute --this/next-update CRL lifetimes
Martin Willi [Thu, 27 Mar 2014 14:56:20 +0000 (15:56 +0100)]
pki: Support absolute --this/next-update CRL lifetimes

8 years agopki: Support absolute --not-before/after issued certificate lifetimes
Martin Willi [Thu, 27 Mar 2014 14:45:52 +0000 (15:45 +0100)]
pki: Support absolute --not-before/after issued certificate lifetimes

8 years agopki: Support absolute --not-before/after self-signed certificate lifetimes
Martin Willi [Thu, 27 Mar 2014 14:45:32 +0000 (15:45 +0100)]
pki: Support absolute --not-before/after self-signed certificate lifetimes

8 years agopki: Support absolute --not-before/after acert lifetimes
Martin Willi [Thu, 27 Mar 2014 13:47:18 +0000 (14:47 +0100)]
pki: Support absolute --not-before/after acert lifetimes

8 years agopki: Add a certificate lifetime calculation helper function
Martin Willi [Thu, 27 Mar 2014 13:46:41 +0000 (14:46 +0100)]
pki: Add a certificate lifetime calculation helper function

8 years agotesting: Add an acert test that forces a fallback connection based on groups
Martin Willi [Fri, 7 Feb 2014 10:51:08 +0000 (11:51 +0100)]
testing: Add an acert test that forces a fallback connection based on groups

8 years agotesting: Add an acert test case sending attribute certificates inline
Martin Willi [Fri, 7 Feb 2014 10:22:39 +0000 (11:22 +0100)]
testing: Add an acert test case sending attribute certificates inline

8 years agotesting: Add an acert test using locally cached attribute certificates
Martin Willi [Fri, 7 Feb 2014 09:28:50 +0000 (10:28 +0100)]
testing: Add an acert test using locally cached attribute certificates

8 years agotesting: build strongSwan with acert plugin
Martin Willi [Fri, 7 Feb 2014 09:26:08 +0000 (10:26 +0100)]
testing: build strongSwan with acert plugin

8 years agoikev2: Cache all received attribute certificates to auth config
Martin Willi [Wed, 5 Feb 2014 16:56:05 +0000 (17:56 +0100)]
ikev2: Cache all received attribute certificates to auth config

8 years agoikev2: Send all known and valid attribute certificates for subject cert
Martin Willi [Wed, 5 Feb 2014 16:48:35 +0000 (17:48 +0100)]
ikev2: Send all known and valid attribute certificates for subject cert

8 years agoikev2: Slightly refactor certificate payload construction to separate functions
Martin Willi [Wed, 5 Feb 2014 16:25:48 +0000 (17:25 +0100)]
ikev2: Slightly refactor certificate payload construction to separate functions

8 years agoike: Support encoding of attribute certificates in CERT payloads
Martin Willi [Wed, 5 Feb 2014 16:46:01 +0000 (17:46 +0100)]
ike: Support encoding of attribute certificates in CERT payloads

8 years agoauth-cfg: Declare an attribute certificate helper type to exchange acerts
Martin Willi [Wed, 5 Feb 2014 16:15:45 +0000 (17:15 +0100)]
auth-cfg: Declare an attribute certificate helper type to exchange acerts

8 years agoacert: Implement a plugin finding, validating and evaluating attribute certs
Martin Willi [Wed, 5 Feb 2014 15:59:55 +0000 (16:59 +0100)]
acert: Implement a plugin finding, validating and evaluating attribute certs

This validator checks for any attribute certificate it can find for validated
end entity certificates and tries to extract group membership information
used for connection authorization rules.

8 years agox509: Match acert has_subject() against entityName or holder serial
Martin Willi [Wed, 5 Feb 2014 13:45:47 +0000 (14:45 +0100)]
x509: Match acert has_subject() against entityName or holder serial

This allows us to find attribute certificates for a subject certificate in
credential sets.

8 years agopki: Add acert and extend pki/print manpages
Martin Willi [Wed, 5 Feb 2014 11:49:10 +0000 (12:49 +0100)]
pki: Add acert and extend pki/print manpages

8 years agopki: Implement an acert command to issue attribute certificates
Martin Willi [Wed, 5 Feb 2014 11:28:00 +0000 (12:28 +0100)]
pki: Implement an acert command to issue attribute certificates

8 years agopki: Support printing attribute certificates
Martin Willi [Wed, 5 Feb 2014 11:24:03 +0000 (12:24 +0100)]
pki: Support printing attribute certificates

8 years agopki: Don't generate negative random serial numbers in X.509 certificates
Martin Willi [Wed, 5 Feb 2014 10:05:28 +0000 (11:05 +0100)]
pki: Don't generate negative random serial numbers in X.509 certificates

According to RFC 5280 we MUST force non-negative serial numbers.

8 years agopem: Support encoding of attribute certificates
Martin Willi [Wed, 5 Feb 2014 11:19:34 +0000 (12:19 +0100)]
pem: Support encoding of attribute certificates

While there is no widely used PEM header for attribute certificates, at least

8 years agox509: Replace the comma separated string AC group builder with a list based one
Martin Willi [Tue, 4 Feb 2014 15:24:03 +0000 (16:24 +0100)]
x509: Replace the comma separated string AC group builder with a list based one

8 years agox509: Integrate IETF attribute handling, and obsolete ietf_attributes_t
Martin Willi [Tue, 4 Feb 2014 15:11:37 +0000 (16:11 +0100)]
x509: Integrate IETF attribute handling, and obsolete ietf_attributes_t

The ietf_attributes_t class is used for attribute certificates only these days,
and integrating them to x509_ac_t simplifies things significantly.

8 years agox509: Replace fixed acert group string getter by a more dynamic group enumerator
Martin Willi [Tue, 4 Feb 2014 14:41:09 +0000 (15:41 +0100)]
x509: Replace fixed acert group string getter by a more dynamic group enumerator

8 years agox509: Skip parsing of acert chargingIdentity, as we don't use it anyway
Martin Willi [Tue, 4 Feb 2014 14:16:26 +0000 (15:16 +0100)]
x509: Skip parsing of acert chargingIdentity, as we don't use it anyway

8 years agox509: Fix some whitespaces and do some minor style cleanups in acert
Martin Willi [Tue, 4 Feb 2014 14:05:26 +0000 (15:05 +0100)]
x509: Fix some whitespaces and do some minor style cleanups in acert

8 years agoac: Remove unimplemented equals_holder() method from ac_t
Martin Willi [Tue, 4 Feb 2014 13:41:30 +0000 (14:41 +0100)]
ac: Remove unimplemented equals_holder() method from ac_t

8 years agoAdded libipsec/net2net-3des scenario
Andreas Steffen [Fri, 28 Mar 2014 08:21:51 +0000 (09:21 +0100)]
Added libipsec/net2net-3des scenario

8 years agoRenewed self-signed OCSP signer certificate
Andreas Steffen [Thu, 27 Mar 2014 21:49:53 +0000 (22:49 +0100)]
Renewed self-signed OCSP signer certificate

8 years agounit-tests: Fix filtered enumerator tests on 64-bit big-endian platforms
Tobias Brunner [Thu, 27 Mar 2014 14:35:32 +0000 (15:35 +0100)]
unit-tests: Fix filtered enumerator tests on 64-bit big-endian platforms

In case of sizeof(void*) == 8 and sizeof(int) == 4 on big-endian hosts
the tests failed as the actual integer value got cut off.

8 years agotravis: Run the "all" test case with leak detective enabled
Tobias Brunner [Tue, 25 Mar 2014 10:46:17 +0000 (11:46 +0100)]
travis: Run the "all" test case with leak detective enabled

But disable the gcrypt plugin, as it causes leaks.

Also disable the backtraces by libunwind as they seem to cause
threads to get cleaned up after the leak detective already has been
disabled, which leads to invalid free()s.

8 years agounit-tests: Fix memory leak in ntru tests
Tobias Brunner [Tue, 25 Mar 2014 10:45:25 +0000 (11:45 +0100)]
unit-tests: Fix memory leak in ntru tests

8 years agoVersion bump to 5.1.3rc1
Andreas Steffen [Wed, 26 Mar 2014 21:00:00 +0000 (22:00 +0100)]
Version bump to 5.1.3rc1