strongswan.git
10 years agoAdded medsrv.fcgi to gitignore
Martin Willi [Thu, 8 Oct 2009 11:10:02 +0000 (13:10 +0200)]
Added medsrv.fcgi to gitignore

10 years agomedsrv.fcgi is not part of the git tree
Andreas Steffen [Thu, 8 Oct 2009 11:05:27 +0000 (13:05 +0200)]
medsrv.fcgi is not part of the git tree

10 years agohex_str() isn't used externally any more
Andreas Steffen [Thu, 8 Oct 2009 11:04:07 +0000 (13:04 +0200)]
hex_str() isn't used externally any more

10 years agoparsing of generalNames is not needed any more
Andreas Steffen [Thu, 8 Oct 2009 10:42:29 +0000 (12:42 +0200)]
parsing of generalNames is not needed any more

10 years agouse of asn1_build_known_oid()
Andreas Steffen [Thu, 8 Oct 2009 10:35:36 +0000 (12:35 +0200)]
use of asn1_build_known_oid()

10 years agomigrated public key IDs to identification_t
Andreas Steffen [Thu, 8 Oct 2009 09:25:33 +0000 (11:25 +0200)]
migrated public key IDs to identification_t

10 years agoReenabled acq_expires SA timer using rekey timeout
Martin Willi [Wed, 7 Oct 2009 09:40:36 +0000 (11:40 +0200)]
Reenabled acq_expires SA timer using rekey timeout

While not using a SA expiration for allocating SPIs works fine,
the situation is much more problematic for kernel-created temporary
SAs from acquires. If the negotiation of such a CHILD_SA fails,
the created temporary SA can not be deleted.

10 years agoCatch CHILD_SA state changes during acquire
Martin Willi [Wed, 7 Oct 2009 08:14:18 +0000 (10:14 +0200)]
Catch CHILD_SA state changes during acquire

If an acquire fails due to a TS_UNACCEPTABLE or other CHILD_SA only errors,
we have to reset the pending state in the trap manager.

10 years agolist subjectAltNames
Andreas Steffen [Tue, 6 Oct 2009 21:50:26 +0000 (23:50 +0200)]
list subjectAltNames

10 years agosome ipsec listall finetuning
Andreas Steffen [Tue, 6 Oct 2009 21:19:46 +0000 (23:19 +0200)]
some ipsec listall finetuning

10 years agopluto and charon now have the same ipsec listall output format
Andreas Steffen [Tue, 6 Oct 2009 14:49:46 +0000 (16:49 +0200)]
pluto and charon now have the same ipsec listall output format

10 years agothe ikev1 scenarios need the x509 plugin
Andreas Steffen [Tue, 6 Oct 2009 12:38:34 +0000 (14:38 +0200)]
the ikev1 scenarios need the x509 plugin

10 years agostreamlined output from get_validity()
Andreas Steffen [Tue, 6 Oct 2009 12:22:27 +0000 (14:22 +0200)]
streamlined output from get_validity()

10 years agofixed serial number conversion from hex
Andreas Steffen [Mon, 5 Oct 2009 21:52:35 +0000 (23:52 +0200)]
fixed serial number conversion from hex

10 years agodelete group attributes after use
Andreas Steffen [Mon, 5 Oct 2009 21:17:36 +0000 (23:17 +0200)]
delete group attributes after use

10 years agostroke_list outputs group attributes
Andreas Steffen [Mon, 5 Oct 2009 21:13:51 +0000 (23:13 +0200)]
stroke_list outputs group attributes

10 years agoipsec pki --issue suports --flag authServer option
Andreas Steffen [Mon, 5 Oct 2009 20:44:01 +0000 (22:44 +0200)]
ipsec pki --issue suports --flag authServer option

10 years agoipsec pki --issue supports --flag ocspSigning option
Andreas Steffen [Mon, 5 Oct 2009 19:20:42 +0000 (21:20 +0200)]
ipsec pki --issue supports --flag ocspSigning option

10 years agoCleaned up EAP-AKA en/decoding, eliminated unaligned half-word reads
Martin Willi [Mon, 5 Oct 2009 12:06:32 +0000 (14:06 +0200)]
Cleaned up EAP-AKA en/decoding, eliminated unaligned half-word reads

10 years agoCleaned up EAP-SIM en/decoding, eliminated unaligned half-word reads
Martin Willi [Mon, 5 Oct 2009 11:32:41 +0000 (13:32 +0200)]
Cleaned up EAP-SIM en/decoding, eliminated unaligned half-word reads

10 years agoDistinguish invalid free()s between corrupted magic and invalid pointer
Martin Willi [Mon, 5 Oct 2009 08:49:10 +0000 (10:49 +0200)]
Distinguish invalid free()s between corrupted magic and invalid pointer

10 years agopluto now uses x509 plugin for attribute certificate handling
Andreas Steffen [Mon, 5 Oct 2009 05:24:28 +0000 (07:24 +0200)]
pluto now uses x509 plugin for attribute certificate handling

10 years agofixed output of authKeyID
Andreas Steffen [Fri, 2 Oct 2009 19:20:45 +0000 (21:20 +0200)]
fixed output of authKeyID

10 years agomark embedded parsing in debug mode
Andreas Steffen [Fri, 2 Oct 2009 18:54:15 +0000 (20:54 +0200)]
mark embedded parsing in debug mode

10 years agoadded some notBefore/notAfter debugging info
Andreas Steffen [Fri, 2 Oct 2009 18:14:09 +0000 (20:14 +0200)]
added some notBefore/notAfter debugging info

10 years agoverify correctness of X.509 versions
Andreas Steffen [Fri, 2 Oct 2009 15:49:51 +0000 (17:49 +0200)]
verify correctness of X.509 versions

10 years agoadded all missing RFC 5280 OIDs
Andreas Steffen [Fri, 2 Oct 2009 12:10:27 +0000 (14:10 +0200)]
added all missing RFC 5280 OIDs

10 years agocreated ikev1/mode-config-multiple scenario
Andreas Steffen [Thu, 1 Oct 2009 07:42:35 +0000 (09:42 +0200)]
created ikev1/mode-config-multiple scenario

10 years agofixes multiple IPsec SAs with IKEv1 Mode Config
Andreas Steffen [Thu, 1 Oct 2009 07:41:35 +0000 (09:41 +0200)]
fixes multiple IPsec SAs with IKEv1 Mode Config

10 years agogenerate known OIDs dynamically
Andreas Steffen [Wed, 30 Sep 2009 09:49:32 +0000 (11:49 +0200)]
generate known OIDs dynamically

10 years agopluto's crl handling now uses the x509 plugin
Andreas Steffen [Wed, 30 Sep 2009 07:29:15 +0000 (09:29 +0200)]
pluto's crl handling now uses the x509 plugin

10 years agoscepclient uses pkcs10 from libstrongswan
Andreas Steffen [Mon, 28 Sep 2009 03:52:20 +0000 (05:52 +0200)]
scepclient uses pkcs10 from libstrongswan

10 years agoabbreviated struct connection by connection_t
Andreas Steffen [Sun, 27 Sep 2009 21:49:37 +0000 (23:49 +0200)]
abbreviated struct connection by connection_t

10 years agopluto and scepclient now use the x509 plugin for certificates
Andreas Steffen [Sun, 27 Sep 2009 21:09:30 +0000 (23:09 +0200)]
pluto and scepclient now use the x509 plugin for certificates

10 years agowhitelist Curl_client_write
Andreas Steffen [Sun, 27 Sep 2009 21:07:21 +0000 (23:07 +0200)]
whitelist Curl_client_write

10 years agoadded get_subjectKeyIdentifier() to x509_t
Andreas Steffen [Sat, 26 Sep 2009 20:10:36 +0000 (22:10 +0200)]
added get_subjectKeyIdentifier() to x509_t

10 years agoDo not increase the invalid-KE/Cookie retry counter for additional keyingtry attempts
Martin Willi [Thu, 24 Sep 2009 12:15:20 +0000 (14:15 +0200)]
Do not increase the invalid-KE/Cookie retry counter for additional keyingtry attempts

10 years agoDo not create a replacement IKE_SA if we have CHILD_SAs to route only
Martin Willi [Thu, 24 Sep 2009 12:14:30 +0000 (14:14 +0200)]
Do not create a replacement IKE_SA if we have CHILD_SAs to route only

10 years agoUsing the correct type for ME_ENDPOINT payloads in connectivity checks.
Tobias Brunner [Thu, 24 Sep 2009 09:28:43 +0000 (11:28 +0200)]
Using the correct type for ME_ENDPOINT payloads in connectivity checks.

10 years agoRight-align short options in pki usage
Martin Willi [Thu, 24 Sep 2009 09:28:31 +0000 (11:28 +0200)]
Right-align short options in pki usage

10 years agocertificate subject DNs are in double quotes
Andreas Steffen [Wed, 23 Sep 2009 20:03:52 +0000 (22:03 +0200)]
certificate subject DNs are in double quotes

10 years agostreamlining of credential loading debug output
Andreas Steffen [Wed, 23 Sep 2009 19:55:48 +0000 (21:55 +0200)]
streamlining of credential loading debug output

10 years agoadded fix of PKCS#7 wrapped certificates to NEWS
Andreas Steffen [Wed, 23 Sep 2009 19:50:56 +0000 (21:50 +0200)]
added fix of PKCS#7 wrapped certificates to NEWS

10 years agoadded and fixed debug output of version information
Andreas Steffen [Wed, 23 Sep 2009 14:21:18 +0000 (16:21 +0200)]
added and fixed debug output of version information

10 years agofixed PKCS#7 wrapped certificate parsing
Andreas Steffen [Wed, 23 Sep 2009 13:51:40 +0000 (15:51 +0200)]
fixed PKCS#7 wrapped certificate parsing

10 years agoUse mysql_config to query MySQL LIBS and CFLAGS
Martin Willi [Wed, 23 Sep 2009 10:45:03 +0000 (12:45 +0200)]
Use mysql_config to query MySQL LIBS and CFLAGS

10 years agoFixed a crash in source address lookup
Martin Willi [Wed, 23 Sep 2009 09:18:30 +0000 (11:18 +0200)]
Fixed a crash in source address lookup

10 years agoDefine ME for all charon plugins
Martin Willi [Wed, 23 Sep 2009 09:13:27 +0000 (11:13 +0200)]
Define ME for all charon plugins

10 years agoCorrectly handle --enable-mediation option
Martin Willi [Wed, 23 Sep 2009 08:49:38 +0000 (10:49 +0200)]
Correctly handle --enable-mediation option

10 years agoenforce coding rules
Andreas Steffen [Tue, 22 Sep 2009 19:50:28 +0000 (21:50 +0200)]
enforce coding rules

10 years agoenforce coding rules
Andreas Steffen [Tue, 22 Sep 2009 18:54:10 +0000 (20:54 +0200)]
enforce coding rules

10 years agoset XFRM_STATE_AF_UNSPEC flag
Andreas Steffen [Tue, 22 Sep 2009 18:00:49 +0000 (20:00 +0200)]
set XFRM_STATE_AF_UNSPEC flag

10 years agoEmit a ALERT_SHUTDOWN_SIGNAL before shutting down the daemon
Martin Willi [Tue, 22 Sep 2009 14:59:25 +0000 (16:59 +0200)]
Emit a ALERT_SHUTDOWN_SIGNAL before shutting down the daemon

10 years agoadding additional flags to loaded X.509 certificates
Andreas Steffen [Tue, 22 Sep 2009 10:55:25 +0000 (12:55 +0200)]
adding additional flags to loaded X.509 certificates

10 years agoreadying NEWS for the strongswan-4.3.5dr2 release
Andreas Steffen [Tue, 22 Sep 2009 10:44:58 +0000 (12:44 +0200)]
readying NEWS for the strongswan-4.3.5dr2 release

10 years agoshortened file loading debug output
Andreas Steffen [Tue, 22 Sep 2009 10:33:13 +0000 (12:33 +0200)]
shortened file loading debug output

10 years agocomputed hash-and-url for new certificates
Andreas Steffen [Tue, 22 Sep 2009 10:05:37 +0000 (12:05 +0200)]
computed hash-and-url for new certificates

10 years agoFixed encoding of hash-and-url cert payload
Martin Willi [Tue, 22 Sep 2009 08:07:04 +0000 (10:07 +0200)]
Fixed encoding of hash-and-url cert payload

10 years agoDo not assign SIM version to a volatile buffer on stack
Martin Willi [Tue, 22 Sep 2009 07:11:35 +0000 (09:11 +0200)]
Do not assign SIM version to a volatile buffer on stack

10 years agoCA certificates are looked up using the subjectPublicKeyInfo keyid
Martin Willi [Mon, 21 Sep 2009 16:13:25 +0000 (18:13 +0200)]
CA certificates are looked up using the subjectPublicKeyInfo keyid

10 years agoCredential backends use has_fingerprint() methods to select keys/certificates
Martin Willi [Mon, 21 Sep 2009 15:03:00 +0000 (17:03 +0200)]
Credential backends use has_fingerprint() methods to select keys/certificates

10 years agoPublic/Private keys implement a has_fingerprint() method
Martin Willi [Mon, 21 Sep 2009 14:47:25 +0000 (16:47 +0200)]
Public/Private keys implement a has_fingerprint() method

10 years agoCorrectly serve certificates if CERT_ANY requested
Martin Willi [Mon, 21 Sep 2009 13:34:29 +0000 (15:34 +0200)]
Correctly serve certificates if CERT_ANY requested

10 years agoEnforce a local address of the same family as remote address
Martin Willi [Mon, 21 Sep 2009 13:19:39 +0000 (15:19 +0200)]
Enforce a local address of the same family as remote address

10 years agoReturn certificates of requested kind only
Martin Willi [Mon, 21 Sep 2009 12:43:57 +0000 (14:43 +0200)]
Return certificates of requested kind only

10 years agoplugin has been renamed to resolve
Andreas Steffen [Sun, 20 Sep 2009 20:03:23 +0000 (22:03 +0200)]
plugin has been renamed to resolve

10 years agodelete resolv_conf_* files
Andreas Steffen [Sun, 20 Sep 2009 19:59:36 +0000 (21:59 +0200)]
delete resolv_conf_* files

10 years agoall arguments must be read
Andreas Steffen [Sun, 20 Sep 2009 19:56:22 +0000 (21:56 +0200)]
all arguments must be read

10 years agoresolv_conf plugin renamed to resolve
Andreas Steffen [Sun, 20 Sep 2009 17:06:58 +0000 (19:06 +0200)]
resolv_conf plugin renamed to resolve

10 years agoadapt evaltest.dat to changed debug output
Andreas Steffen [Sun, 20 Sep 2009 15:23:24 +0000 (17:23 +0200)]
adapt evaltest.dat to changed debug output

10 years agorenewed certs in dynamic-initiator/dynamic-responder scenarios
Andreas Steffen [Sat, 19 Sep 2009 06:18:42 +0000 (08:18 +0200)]
renewed certs in dynamic-initiator/dynamic-responder scenarios

10 years agouse new certificates
Andreas Steffen [Fri, 18 Sep 2009 22:26:55 +0000 (00:26 +0200)]
use new certificates

10 years agoeliminated double library_deinit()
Andreas Steffen [Fri, 18 Sep 2009 22:00:56 +0000 (00:00 +0200)]
eliminated double library_deinit()

10 years agokeyids of renewed keys
Andreas Steffen [Fri, 18 Sep 2009 19:44:57 +0000 (21:44 +0200)]
keyids of renewed keys

10 years agoupdated to renewed certs in SQL database
Andreas Steffen [Fri, 18 Sep 2009 19:22:37 +0000 (21:22 +0200)]
updated to renewed certs in SQL database

10 years agorenewal of end entity certificates
Andreas Steffen [Fri, 18 Sep 2009 19:17:03 +0000 (21:17 +0200)]
renewal of end entity certificates

10 years agofixed --enable-eap-md5 and --enable-eap-gtc options
Andreas Steffen [Fri, 18 Sep 2009 16:23:26 +0000 (18:23 +0200)]
fixed --enable-eap-md5 and --enable-eap-gtc options

10 years agobackwards compatibility with SQL format
Andreas Steffen [Fri, 18 Sep 2009 05:22:07 +0000 (07:22 +0200)]
backwards compatibility with SQL format

10 years agoUse helper functions to handle (non-)skippable attributes
Martin Willi [Fri, 18 Sep 2009 13:08:43 +0000 (15:08 +0200)]
Use helper functions to handle (non-)skippable attributes

10 years agoClients can handle AKA-Identity requests by sending the full identity
Martin Willi [Fri, 18 Sep 2009 12:51:35 +0000 (14:51 +0200)]
Clients can handle AKA-Identity requests by sending the full identity

10 years agonm uses the distributions trusted root CAs if none is explicitly specified
Martin Willi [Fri, 18 Sep 2009 12:29:50 +0000 (14:29 +0200)]
nm uses the distributions trusted root CAs if none is explicitly specified

10 years agosome reformulations
Andreas Steffen [Thu, 17 Sep 2009 20:20:35 +0000 (22:20 +0200)]
some reformulations

10 years agoget_private() in listcacerts requires a valid auth cfg
Martin Willi [Thu, 17 Sep 2009 10:47:03 +0000 (12:47 +0200)]
get_private() in listcacerts requires a valid auth cfg

10 years agoFixed nexthop lookup, used by source route installation
Martin Willi [Wed, 16 Sep 2009 11:55:32 +0000 (13:55 +0200)]
Fixed nexthop lookup, used by source route installation

10 years agoUse continue to advance to next iteration
Martin Willi [Wed, 16 Sep 2009 11:32:47 +0000 (13:32 +0200)]
Use continue to advance to next iteration

10 years agoComplain about missing %defaultroute support only if one is actually used
Martin Willi [Wed, 16 Sep 2009 11:27:49 +0000 (13:27 +0200)]
Complain about missing %defaultroute support only if one is actually used

10 years agoUse the default debug hook if possible
Martin Willi [Wed, 16 Sep 2009 11:16:00 +0000 (13:16 +0200)]
Use the default debug hook if possible

10 years agoDefault logger implementation can be modified by dbg_default_set_level/stream
Martin Willi [Wed, 16 Sep 2009 11:06:16 +0000 (13:06 +0200)]
Default logger implementation can be modified by dbg_default_set_level/stream

10 years agoRemoved obsolete per-command debug level option
Martin Willi [Wed, 16 Sep 2009 10:52:56 +0000 (12:52 +0200)]
Removed obsolete per-command debug level option

10 years agoFixed loading of DER encoded certificate files
Martin Willi [Wed, 16 Sep 2009 09:24:35 +0000 (11:24 +0200)]
Fixed loading of DER encoded certificate files

10 years agocorrected usage
Andreas Steffen [Tue, 15 Sep 2009 20:43:22 +0000 (22:43 +0200)]
corrected usage

10 years agopki --req generates a PKCS#10 certificate request
Andreas Steffen [Tue, 15 Sep 2009 20:33:32 +0000 (22:33 +0200)]
pki --req generates a PKCS#10 certificate request

10 years agoimplemented ASN.1 encoding of PKCS#10 attributes
Andreas Steffen [Tue, 15 Sep 2009 19:55:44 +0000 (21:55 +0200)]
implemented ASN.1 encoding of PKCS#10 attributes

10 years agofixed typo
Andreas Steffen [Tue, 15 Sep 2009 14:48:13 +0000 (16:48 +0200)]
fixed typo

10 years agoDisable rtnetlink defaultroute lookup if pluto is disabled
Martin Willi [Tue, 15 Sep 2009 11:13:45 +0000 (13:13 +0200)]
Disable rtnetlink defaultroute lookup if pluto is disabled

As we do not support Pluto on BSD/Mac, exclude the Linux specific
rtnetlink routing lookup; Charon doesn't require it anyway.

10 years agoGet starter default route via rtnetlink
Heiko Hund [Tue, 8 Sep 2009 09:32:50 +0000 (11:32 +0200)]
Get starter default route via rtnetlink

This patch changes the way routes are fetched from the kernel by starter.

The way it's currently done (via /proc) is limited to routes in the
"main" routing table. Routes from the "default" table are never seen by
starter. Starter may miss the default route even if it's set. Thus, default
routes are now read from the "main" and the "default" table.

The way this code behaves if more than one default route is found is slightly
different to before. Instead of bailing out it just chooses the one with the best
metric. I thought this was be a reasonable change.

10 years agoHandle pki --debug and --options in a generic way for all command
Martin Willi [Tue, 15 Sep 2009 09:49:14 +0000 (11:49 +0200)]
Handle pki --debug and --options in a generic way for all command

10 years agopki tool supports single letter short options
Martin Willi [Tue, 15 Sep 2009 08:20:22 +0000 (10:20 +0200)]
pki tool supports single letter short options

10 years agoExponents of a RSA key in openssl are optional (for PGP)
Martin Willi [Tue, 15 Sep 2009 07:17:04 +0000 (09:17 +0200)]
Exponents of a RSA key in openssl are optional (for PGP)

10 years agoAdded some NEWS
Martin Willi [Tue, 15 Sep 2009 07:13:31 +0000 (09:13 +0200)]
Added some NEWS