Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | Properly hash pointers for hash tables where appropriate | Tobias Brunner | 2014-03-31 | 4 | -71/+7 | |
| | | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket. | |||||
* | kernel-pfroute: Let get_nexthop() default to destination address | Tobias Brunner | 2014-03-31 | 1 | -3/+7 | |
| | ||||||
* | x509: CERT_DECODE actually requires KEY_ANY | Tobias Brunner | 2014-03-31 | 1 | -3/+1 | |
| | | | | | More specific decoders might still be needed, but the x509 plugin should not care which ones. | |||||
* | pkcs1: KEY_ANY public key decoder soft depends on specific decoders | Tobias Brunner | 2014-03-31 | 1 | -0/+3 | |
| | ||||||
* | eap-radius: Add option to not close IKE_SAs on timeouts during interim ↵ | Tobias Brunner | 2014-03-31 | 2 | -1/+10 | |
| | | | | | | accouting updates Fixes #528. | |||||
* | ikev1: Accept SPI size of any length <= 16 in ISAKMP proposal | Tobias Brunner | 2014-03-31 | 1 | -4/+12 | |
| | | | | Fixes #533. | |||||
* | proposal: Don't fail DH proposal matching if peer includes NONE | Tobias Brunner | 2014-03-31 | 1 | -4/+19 | |
| | | | | | | | | The DH transform is optional for ESP/AH proposals. The initiator can include NONE (0) in its proposal to indicate that while it prefers to do a DH exchange, the responder may still decide to not do so. Fixes #532. | |||||
* | conf: Order settings in man page alphabetically | Tobias Brunner | 2014-03-31 | 1 | -5/+4 | |
| | | | | | For the config snippets the options are now explicitly ordered before subsections. | |||||
* | Merge branch 'acerts' | Martin Willi | 2014-03-31 | 96 | -1587/+2394 | |
|\ | | | | | | | | | | | | | (Re-)Introduces X.509 Attribute Certificate support in IKE, and cleans up the x509 AC parser/generator. ACs may be stored locally or exchanged in IKEv2 CERT payloads, Attribute Authorities must be installed locally. pki --acert issues Attribute Certificates and replaces the removed openac utility. | |||||
| * | NEWS: Add acert and pki changes for 5.1.3 | Martin Willi | 2014-03-31 | 1 | -0/+13 | |
| | | ||||||
| * | openac: Remove obsolete openac utility | Martin Willi | 2014-03-31 | 10 | -772/+21 | |
| | | | | | | | | The same functionality is now provided by the pki --acert subcommand. | |||||
| * | pki: Document --not-before/after and --dateform options in manpages | Martin Willi | 2014-03-31 | 4 | -7/+99 | |
| | | ||||||
| * | pki: Support absolute --this/next-update CRL lifetimes | Martin Willi | 2014-03-31 | 1 | -6/+22 | |
| | | ||||||
| * | pki: Support absolute --not-before/after issued certificate lifetimes | Martin Willi | 2014-03-31 | 2 | -7/+22 | |
| | | ||||||
| * | pki: Support absolute --not-before/after self-signed certificate lifetimes | Martin Willi | 2014-03-31 | 1 | -5/+22 | |
| | | ||||||
| * | pki: Support absolute --not-before/after acert lifetimes | Martin Willi | 2014-03-31 | 1 | -7/+26 | |
| | | ||||||
| * | pki: Add a certificate lifetime calculation helper function | Martin Willi | 2014-03-31 | 2 | -1/+69 | |
| | | ||||||
| * | testing: Add an acert test that forces a fallback connection based on groups | Martin Willi | 2014-03-31 | 13 | -0/+199 | |
| | | ||||||
| * | testing: Add an acert test case sending attribute certificates inline | Martin Willi | 2014-03-31 | 18 | -0/+291 | |
| | | ||||||
| * | testing: Add an acert test using locally cached attribute certificates | Martin Willi | 2014-03-31 | 16 | -0/+239 | |
| | | ||||||
| * | testing: build strongSwan with acert plugin | Martin Willi | 2014-03-31 | 1 | -0/+1 | |
| | | ||||||
| * | ikev2: Cache all received attribute certificates to auth config | Martin Willi | 2014-03-31 | 1 | -1/+27 | |
| | | ||||||
| * | ikev2: Send all known and valid attribute certificates for subject cert | Martin Willi | 2014-03-31 | 1 | -0/+46 | |
| | | ||||||
| * | ikev2: Slightly refactor certificate payload construction to separate functions | Martin Willi | 2014-03-31 | 1 | -37/+56 | |
| | | ||||||
| * | ike: Support encoding of attribute certificates in CERT payloads | Martin Willi | 2014-03-31 | 1 | -1/+6 | |
| | | ||||||
| * | auth-cfg: Declare an attribute certificate helper type to exchange acerts | Martin Willi | 2014-03-31 | 3 | -2/+15 | |
| | | ||||||
| * | acert: Implement a plugin finding, validating and evaluating attribute certs | Martin Willi | 2014-03-31 | 7 | -0/+367 | |
| | | | | | | | | | | | | This validator checks for any attribute certificate it can find for validated end entity certificates and tries to extract group membership information used for connection authorization rules. | |||||
| * | x509: Match acert has_subject() against entityName or holder serial | Martin Willi | 2014-03-31 | 1 | -5/+25 | |
| | | | | | | | | | | This allows us to find attribute certificates for a subject certificate in credential sets. | |||||
| * | pki: Add acert and extend pki/print manpages | Martin Willi | 2014-03-31 | 5 | -2/+116 | |
| | | ||||||
| * | pki: Implement an acert command to issue attribute certificates | Martin Willi | 2014-03-31 | 3 | -1/+275 | |
| | | ||||||
| * | pki: Support printing attribute certificates | Martin Willi | 2014-03-31 | 1 | -1/+89 | |
| | | ||||||
| * | pki: Don't generate negative random serial numbers in X.509 certificates | Martin Willi | 2014-03-31 | 2 | -0/+2 | |
| | | | | | | | | According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers. | |||||
| * | pem: Support encoding of attribute certificates | Martin Willi | 2014-03-31 | 1 | -1/+6 | |
| | | | | | | | | | | | | | | While there is no widely used PEM header for attribute certificates, at least IAIK-JCE uses BEGIN ATTRIBUTE CERTIFICATE: http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/utils/Util.html#toPemString(iaik.x509.attr.AttributeCertificate) | |||||
| * | x509: Replace the comma separated string AC group builder with a list based one | Martin Willi | 2014-03-31 | 4 | -10/+22 | |
| | | ||||||
| * | x509: Integrate IETF attribute handling, and obsolete ietf_attributes_t | Martin Willi | 2014-03-31 | 6 | -639/+186 | |
| | | | | | | | | | | The ietf_attributes_t class is used for attribute certificates only these days, and integrating them to x509_ac_t simplifies things significantly. | |||||
| * | x509: Replace fixed acert group string getter by a more dynamic group enumerator | Martin Willi | 2014-03-31 | 5 | -69/+131 | |
| | | ||||||
| * | x509: Skip parsing of acert chargingIdentity, as we don't use it anyway | Martin Willi | 2014-03-31 | 1 | -9/+1 | |
| | | ||||||
| * | x509: Fix some whitespaces and do some minor style cleanups in acert | Martin Willi | 2014-03-31 | 1 | -72/+76 | |
| | | ||||||
| * | ac: Remove unimplemented equals_holder() method from ac_t | Martin Willi | 2014-03-31 | 1 | -8/+0 | |
|/ | ||||||
* | Added libipsec/net2net-3des scenario | Andreas Steffen | 2014-03-28 | 11 | -0/+1521 | |
| | ||||||
* | Renewed self-signed OCSP signer certificate | Andreas Steffen | 2014-03-27 | 4 | -43/+45 | |
| | ||||||
* | unit-tests: Fix filtered enumerator tests on 64-bit big-endian platforms | Tobias Brunner | 2014-03-27 | 1 | -12/+12 | |
| | | | | | In case of sizeof(void*) == 8 and sizeof(int) == 4 on big-endian hosts the tests failed as the actual integer value got cut off. | |||||
* | travis: Run the "all" test case with leak detective enabled | Tobias Brunner | 2014-03-27 | 2 | -0/+7 | |
| | | | | | | | | But disable the gcrypt plugin, as it causes leaks. Also disable the backtraces by libunwind as they seem to cause threads to get cleaned up after the leak detective already has been disabled, which leads to invalid free()s. | |||||
* | unit-tests: Fix memory leak in ntru tests | Tobias Brunner | 2014-03-27 | 1 | -3/+5 | |
| | ||||||
* | Version bump to 5.1.3rc1 | Andreas Steffen | 2014-03-26 | 1 | -1/+1 | |
| | ||||||
* | Check that valid OCSP responses are received in the ikev2/ocsp-multi-level ↵ | Andreas Steffen | 2014-03-24 | 1 | -0/+4 | |
| | | | | scenario | |||||
* | Updated expired certificates issued by the Research and Sales Intermediate CAs | Andreas Steffen | 2014-03-24 | 21 | -185/+295 | |
| | ||||||
* | Renewed revoked Research CA certificate5.1.3dr1 | Andreas Steffen | 2014-03-22 | 6 | -11/+37 | |
| | ||||||
* | unit-test: added missing TEST_FUNCTION macros | Andreas Steffen | 2014-03-22 | 1 | -8/+16 | |
| | ||||||
* | Added openssl-ikev2/net2net-pgp-v3 scenario | Andreas Steffen | 2014-03-22 | 17 | -0/+208 | |
| |