aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Properly hash pointers for hash tables where appropriateTobias Brunner2014-03-314-71/+7
| | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket.
* kernel-pfroute: Let get_nexthop() default to destination addressTobias Brunner2014-03-311-3/+7
|
* x509: CERT_DECODE actually requires KEY_ANYTobias Brunner2014-03-311-3/+1
| | | | | More specific decoders might still be needed, but the x509 plugin should not care which ones.
* pkcs1: KEY_ANY public key decoder soft depends on specific decodersTobias Brunner2014-03-311-0/+3
|
* eap-radius: Add option to not close IKE_SAs on timeouts during interim ↵Tobias Brunner2014-03-312-1/+10
| | | | | | accouting updates Fixes #528.
* ikev1: Accept SPI size of any length <= 16 in ISAKMP proposalTobias Brunner2014-03-311-4/+12
| | | | Fixes #533.
* proposal: Don't fail DH proposal matching if peer includes NONETobias Brunner2014-03-311-4/+19
| | | | | | | | The DH transform is optional for ESP/AH proposals. The initiator can include NONE (0) in its proposal to indicate that while it prefers to do a DH exchange, the responder may still decide to not do so. Fixes #532.
* conf: Order settings in man page alphabeticallyTobias Brunner2014-03-311-5/+4
| | | | | For the config snippets the options are now explicitly ordered before subsections.
* Merge branch 'acerts'Martin Willi2014-03-3196-1587/+2394
|\ | | | | | | | | | | | | (Re-)Introduces X.509 Attribute Certificate support in IKE, and cleans up the x509 AC parser/generator. ACs may be stored locally or exchanged in IKEv2 CERT payloads, Attribute Authorities must be installed locally. pki --acert issues Attribute Certificates and replaces the removed openac utility.
| * NEWS: Add acert and pki changes for 5.1.3Martin Willi2014-03-311-0/+13
| |
| * openac: Remove obsolete openac utilityMartin Willi2014-03-3110-772/+21
| | | | | | | | The same functionality is now provided by the pki --acert subcommand.
| * pki: Document --not-before/after and --dateform options in manpagesMartin Willi2014-03-314-7/+99
| |
| * pki: Support absolute --this/next-update CRL lifetimesMartin Willi2014-03-311-6/+22
| |
| * pki: Support absolute --not-before/after issued certificate lifetimesMartin Willi2014-03-312-7/+22
| |
| * pki: Support absolute --not-before/after self-signed certificate lifetimesMartin Willi2014-03-311-5/+22
| |
| * pki: Support absolute --not-before/after acert lifetimesMartin Willi2014-03-311-7/+26
| |
| * pki: Add a certificate lifetime calculation helper functionMartin Willi2014-03-312-1/+69
| |
| * testing: Add an acert test that forces a fallback connection based on groupsMartin Willi2014-03-3113-0/+199
| |
| * testing: Add an acert test case sending attribute certificates inlineMartin Willi2014-03-3118-0/+291
| |
| * testing: Add an acert test using locally cached attribute certificatesMartin Willi2014-03-3116-0/+239
| |
| * testing: build strongSwan with acert pluginMartin Willi2014-03-311-0/+1
| |
| * ikev2: Cache all received attribute certificates to auth configMartin Willi2014-03-311-1/+27
| |
| * ikev2: Send all known and valid attribute certificates for subject certMartin Willi2014-03-311-0/+46
| |
| * ikev2: Slightly refactor certificate payload construction to separate functionsMartin Willi2014-03-311-37/+56
| |
| * ike: Support encoding of attribute certificates in CERT payloadsMartin Willi2014-03-311-1/+6
| |
| * auth-cfg: Declare an attribute certificate helper type to exchange acertsMartin Willi2014-03-313-2/+15
| |
| * acert: Implement a plugin finding, validating and evaluating attribute certsMartin Willi2014-03-317-0/+367
| | | | | | | | | | | | This validator checks for any attribute certificate it can find for validated end entity certificates and tries to extract group membership information used for connection authorization rules.
| * x509: Match acert has_subject() against entityName or holder serialMartin Willi2014-03-311-5/+25
| | | | | | | | | | This allows us to find attribute certificates for a subject certificate in credential sets.
| * pki: Add acert and extend pki/print manpagesMartin Willi2014-03-315-2/+116
| |
| * pki: Implement an acert command to issue attribute certificatesMartin Willi2014-03-313-1/+275
| |
| * pki: Support printing attribute certificatesMartin Willi2014-03-311-1/+89
| |
| * pki: Don't generate negative random serial numbers in X.509 certificatesMartin Willi2014-03-312-0/+2
| | | | | | | | According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers.
| * pem: Support encoding of attribute certificatesMartin Willi2014-03-311-1/+6
| | | | | | | | | | | | | | While there is no widely used PEM header for attribute certificates, at least IAIK-JCE uses BEGIN ATTRIBUTE CERTIFICATE: http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/utils/Util.html#toPemString(iaik.x509.attr.AttributeCertificate)
| * x509: Replace the comma separated string AC group builder with a list based oneMartin Willi2014-03-314-10/+22
| |
| * x509: Integrate IETF attribute handling, and obsolete ietf_attributes_tMartin Willi2014-03-316-639/+186
| | | | | | | | | | The ietf_attributes_t class is used for attribute certificates only these days, and integrating them to x509_ac_t simplifies things significantly.
| * x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-315-69/+131
| |
| * x509: Skip parsing of acert chargingIdentity, as we don't use it anywayMartin Willi2014-03-311-9/+1
| |
| * x509: Fix some whitespaces and do some minor style cleanups in acertMartin Willi2014-03-311-72/+76
| |
| * ac: Remove unimplemented equals_holder() method from ac_tMartin Willi2014-03-311-8/+0
|/
* Added libipsec/net2net-3des scenarioAndreas Steffen2014-03-2811-0/+1521
|
* Renewed self-signed OCSP signer certificateAndreas Steffen2014-03-274-43/+45
|
* unit-tests: Fix filtered enumerator tests on 64-bit big-endian platformsTobias Brunner2014-03-271-12/+12
| | | | | In case of sizeof(void*) == 8 and sizeof(int) == 4 on big-endian hosts the tests failed as the actual integer value got cut off.
* travis: Run the "all" test case with leak detective enabledTobias Brunner2014-03-272-0/+7
| | | | | | | | But disable the gcrypt plugin, as it causes leaks. Also disable the backtraces by libunwind as they seem to cause threads to get cleaned up after the leak detective already has been disabled, which leads to invalid free()s.
* unit-tests: Fix memory leak in ntru testsTobias Brunner2014-03-271-3/+5
|
* Version bump to 5.1.3rc1Andreas Steffen2014-03-261-1/+1
|
* Check that valid OCSP responses are received in the ikev2/ocsp-multi-level ↵Andreas Steffen2014-03-241-0/+4
| | | | scenario
* Updated expired certificates issued by the Research and Sales Intermediate CAsAndreas Steffen2014-03-2421-185/+295
|
* Renewed revoked Research CA certificate5.1.3dr1Andreas Steffen2014-03-226-11/+37
|
* unit-test: added missing TEST_FUNCTION macrosAndreas Steffen2014-03-221-8/+16
|
* Added openssl-ikev2/net2net-pgp-v3 scenarioAndreas Steffen2014-03-2217-0/+208
|