0d59713dd9
Fixed ipsec pool --batch command
...
--batch mode has shown to be buggy in very obscure ways in the first real
life tests. For example a batch file
--del pool1
--replace pool2 --addresses file1
returned the error "/usr/libexec/ipsec/pool: unrecognized option '--lace'"
which was gone after moving the --del behind --replace. With the patch
from below applied everything works like a charm. From the info on the
man page it seem to be unrelated to this problem, though:
A program that scans multiple argument vectors, or
rescans the same vector more than once, and wants to
make use of GNU extensions such as '+' and '-' at the
start of optstring, or changes the value of
POSIXLY_CORRECT between scans, must reinitialize
getopt() by resetting optind to 0, rather than the
traditional value of 1. (Resetting to 0 forces the
invocation of an internal initialization routine that
rechecks POSIXLY_CORRECT and checks for GNU exten-
sions in optstring.)
Signed-off-by: Heiko Hund <hhund@astaro.com>
2010-03-24 08:21:36 +01:00
7c11d10eb8
Removed strayed code fragment
2010-03-19 10:25:12 +01:00
437690f897
ipsec pool --batch command
...
Introduce the --batch command which reads several ipsec pool commands
and their arguments from a file or STDIN. Useful if you need to run
serveral commands atomically from a configuration daemon or likewise.
Signed-off-by: Heiko Hund <hhund@astaro.com>
2010-03-19 10:23:40 +01:00
a90ed06f8a
ipsec pool error return status
...
Fix the error return status of the ipsec pool command. Also make --del for
attributes succeed if no --server option was given.
Signed-off-by: Heiko Hund <hhund@astaro.com>
2010-03-19 10:23:35 +01:00
ef9f69a2b9
ipsec pool --replace command
...
Introduce the pool --replace command as an alternative to --add. Also change
the current behavior of allowing duplicate pool names so that, --add with
an existing name fails and --replace removes the existing pool before
adding the new one.
Signed-off-by: Heiko Hund <hhund@astaro.com>
2010-03-19 10:23:29 +01:00
49a452e3a2
--addresses option for ipsec pool --add command
...
Introduce the --addresses option for --add that can be used to add a pool
containing non-contiguous addresses. Additionally it allows to preclaim
certain addresses for certain roadwarrior IDs. See the second chunk of
the patch for a more detailed description.
Signed-off-by: Heiko Hund <hhund@astaro.com>
2010-03-19 10:23:26 +01:00
a3316c2b9f
setting the two most significant bits assures an RSA modulus of maximum bit size
2010-03-15 15:13:26 +01:00
d12ad4748a
fix 64bit issue with time_t from database
2010-03-10 10:46:49 +01:00
908d571796
Provide the Diffie Hellman parameters from a central location, so that we do not have to replicate them in every plugin that implements the DH interface.
...
The main reason for this change is that Android's libcrypto does not
include the get_rfcX_prime_Y functions by default. Therefore we would
have had to replicate the primes a third time.
2010-03-09 17:15:16 +01:00
d543d9cadf
Adding a helper function that translates single characters in a string.
2010-03-08 15:34:38 +01:00
d14203b009
Replaced the deprecated RSA_generate_key with RSA_generate_key_ex.
2010-03-08 15:34:38 +01:00
40f130dab3
Implemented the PRF_KEYED_SHA1 algorithm in the openssl plugin
2010-03-08 13:16:12 +01:00
ceeb9bac8b
critical keyUsage extension must be parsed
2010-03-07 20:51:34 +01:00
1ec8f22de2
set Certificate Sign and CRL Sign flags in keyUsage extension if CA is true
2010-03-07 17:27:53 +01:00
afb364fff9
Reverting eba28948a5 which was only necessary when cross-compiling the plugins for Android 2.0.
...
With the coming monolithic build using Android.mk files this won't be
necessary anymore.
2010-03-02 12:03:44 +01:00
4e657051f7
Streamlined the source file list formatting in plugin makefiles.
2010-03-02 10:40:50 +01:00
6ec60bb92b
Link all enabled libstrongswan plugins into the library, link all enabled charon plugins into libcharon.
2010-03-02 10:38:52 +01:00
3724668b3d
Enabling the plugin loader to be able to load plugins without explicitly loading a shared object file first.
2010-03-02 09:10:32 +01:00
9ce567f895
Changed plugin constructors from plugin_create to plugin_name_plugin_create.
2010-03-02 09:10:26 +01:00
6cc13cd9c5
Removing the plugin constructor declarations from the header files.
2010-03-02 09:10:19 +01:00
eba28948a5
Link all plugins to libstrongswan.
2010-02-25 13:51:05 +01:00
3e35a6e7a1
Use side-channel secured mpz_powm_sec of libgmp 5, if available
2010-02-18 17:38:59 +01:00
b917f49684
initialize variables to avoid compiler warning
2010-02-05 12:34:37 +01:00
7eab4a1be6
Support TLS client authentication Extended Key Usage in x509 generation
2010-01-14 12:00:43 +01:00
3e33ae1004
ipsec pki --self|issue supports --pathlen option setting a path length constraint
2009-12-31 15:13:35 +01:00
4a5a5dd290
Using the thread wrapper in charon, libstrongswan and their plugins.
2009-12-23 17:03:41 +01:00
eba64cef41
Separated the public interfaces of the threading primitives.
2009-12-23 17:01:53 +01:00
14f7091280
Moved mutex.c to a separate folder in order to cleanly wrap other threading primitives (and utils/mutex.h is now threading.h).
2009-12-23 17:00:58 +01:00
e16a01a5e6
X509_IP_ADDR_BLOCKS flag signals the presence of an ipAddrBlock certificate extension
2009-12-22 13:18:27 +01:00
91e35b7c9e
added create_ipAddrBlock_enumerator() method to x509_t
2009-12-22 11:58:30 +01:00
157125e4c9
traffic_selector supports RFC 3779 address range format
2009-12-21 21:29:01 +01:00
513eb95e60
parse RFC 3779 addressFamily
2009-12-20 19:26:28 +01:00
7d379a786c
plugin name is x509
2009-12-20 16:01:35 +01:00
28c25485ba
discard certificate with unknown critical extensions
2009-12-20 15:53:39 +01:00
f3e366a9a0
use traffic_selector_t object to represent ipAddrBlocks
2009-12-20 15:15:02 +01:00
ad858aee15
parse ipAddrBlocks
2009-12-17 17:32:55 +01:00
83b760cb42
Migrated curl_fetcher to INIT/METHOD macros
2009-12-17 13:53:25 +01:00
645f3865b2
ipsec pool manages dns and nbns servers
2009-12-16 18:11:57 +01:00
3747f0f2e7
cosmetics
2009-12-16 13:33:09 +01:00
a461e20dd8
provide attributes from SQL database
2009-12-16 12:31:41 +01:00
4e90d9de9f
Removed obsolete curl interface specific destructor
2009-12-08 16:21:58 +01:00
b5a2055fb1
Give plugins more control of which configuration attributes to request, and pass received attributes back to the requesting handler
2009-11-17 14:51:50 +01:00
ee3d4ef801
Prefer MODP2048/1536 over ECP Diffie-Hellman groups
2009-11-12 13:10:30 +00:00
bb7ae382fd
added some debugging to pgp certificate parsing
2009-11-10 10:04:55 +01:00
262af16179
accept PGP v3 or v4 fingerprint as alternative to PGP user_id
2009-11-09 23:15:17 +01:00
ab5762e32a
list v3 or v4 fingerprint
2009-11-08 23:21:03 +01:00
9f0327e652
define TIME_32_BITS_SIGNED_MAX in utils.h
2009-11-08 18:55:52 +01:00
4c68a85a75
implemented path length constraint checkinf for IKEv2
2009-11-04 23:37:15 +01:00
fae322219f
output optional pathLenConstraint in ipsec listcacerts
2009-11-04 07:30:07 +01:00
00aa027503
implemented parsing of pathLenConstraint
2009-11-04 00:03:10 +01:00
4952dc11da
Fixed all doxygen warnings
2009-10-22 14:34:10 +02:00
38031878dd
moved .gitignore for pool
2009-10-15 14:58:09 +02:00
d38eb3355e
Migrated the lease_history option to the new libstrongswan plugin namespace
2009-10-15 10:14:10 +02:00
668870be47
pool should be in th gitignore list
2009-10-14 14:37:03 +02:00
270bb348e3
pluto now supports SQL-based virtual IP pools
2009-10-14 14:30:14 +02:00
247794827e
move SQL-based pool functionality to new attr-sql libstrongswan plugin
2009-10-13 17:02:29 +02:00
cf85e1319b
streamlined output from get_validity()
2009-10-06 14:22:27 +02:00
408e46a324
ipsec pki --issue suports --flag authServer option
2009-10-05 22:44:01 +02:00
ce40bf5def
ipsec pki --issue supports --flag ocspSigning option
2009-10-05 21:20:42 +02:00
fc12e3cd2e
pluto now uses x509 plugin for attribute certificate handling
2009-10-05 07:24:28 +02:00
0aa5cea248
mark embedded parsing in debug mode
2009-10-02 20:54:15 +02:00
ec0abe4ab5
added some notBefore/notAfter debugging info
2009-10-02 20:14:09 +02:00
daaedcb9c2
verify correctness of X.509 versions
2009-10-02 17:49:51 +02:00
70e81857f9
generate known OIDs dynamically
2009-09-30 11:49:32 +02:00
8ad23ba346
added get_subjectKeyIdentifier() to x509_t
2009-09-26 22:10:36 +02:00
840743479a
Use mysql_config to query MySQL LIBS and CFLAGS
2009-09-23 12:45:03 +02:00
a28334720c
adding additional flags to loaded X.509 certificates
2009-09-22 12:55:25 +02:00
640ed4d5a5
Public/Private keys implement a has_fingerprint() method
2009-09-21 16:47:25 +02:00
af784261f5
all arguments must be read
2009-09-20 21:56:22 +02:00
4e1cade52f
Fixed loading of DER encoded certificate files
2009-09-16 11:24:35 +02:00
edf30136b0
implemented ASN.1 encoding of PKCS#10 attributes
2009-09-15 21:55:44 +02:00
012f62a820
Exponents of a RSA key in openssl are optional (for PGP)
2009-09-15 09:33:00 +02:00
9f45b19fe7
Use ID_KEY_ID as PGP user id, as it can contain any string
2009-09-15 08:45:08 +02:00
79c6f16212
Implemented support for preinstalled PGP certificates in charon
2009-09-15 08:23:48 +02:00
4cb0e1bb76
Added basic support for PGP certificates (no trust relationships yet)
2009-09-15 08:23:48 +02:00
88f3ffa1b1
Moved generic PGP parsing functions to pgp_utils.[ch]
2009-09-15 08:23:47 +02:00
0001db115d
check if PKCS#10 version is 1
2009-09-14 19:38:57 +02:00
29662a9b73
cosmetics
2009-09-14 19:29:05 +02:00
b9fbd66587
Added support to build RSA keys from components in openssl
2009-09-14 14:29:10 +02:00
341af94dc6
support of PKCS#10 certificate request generation without attributes
2009-09-14 00:45:51 +02:00
210d287368
extended hasher_signature_algorithm_to_oid() function
2009-09-13 21:41:51 +02:00
f03e0e9147
support of PKCS#10 certificate request parsing
2009-09-13 21:00:15 +02:00
4c51c6be01
parsing error caused segfault in destroy()
2009-09-13 20:56:12 +02:00
beace4af14
corrected captions
2009-09-12 17:39:15 +02:00
6dc57cd02e
x509 plugin supports encoding of OCSP AuthorityInfo AccessLocations
2009-09-11 17:16:22 +02:00
3b878dae7e
Removed chunk_from_buf() in favor of a simpler chunk_from_chars() macro
2009-09-11 15:39:35 +02:00
881b259943
x509 plugin supports encoding of CRL distribution points
2009-09-11 15:36:22 +02:00
5b03a350fc
use NULL to load plugins from default plugin directory
2009-09-10 18:52:42 +02:00
d73f453c29
Updated x509 plugin to the new builder API
2009-09-10 16:20:21 +02:00
91ef5c66ab
Updated pubkey plugin to the new builder API
2009-09-10 16:20:20 +02:00
872176d350
Updated pkcs1 plugin to the new builder API
2009-09-10 16:20:20 +02:00
43224e9527
Updated pgp plugin to the new builder API
2009-09-10 16:20:20 +02:00
de408caf93
Updated pem plugin to the new builder API
2009-09-10 16:20:19 +02:00
30c06407c6
Updated openssl plugin to the new builder API
2009-09-10 16:20:19 +02:00
1086d00e41
Updated gmp plugin to the new builder API
2009-09-10 16:20:19 +02:00
a94acb58a2
Updated gcrypt plugin to the new builder API
2009-09-10 16:20:18 +02:00
26135ed9bb
Updated dnskey plugin to the new builder API
2009-09-10 16:20:18 +02:00
0a139eeac9
Updated agent plugin to the new builder API
2009-09-10 16:20:18 +02:00
7631aac20c
x509 certificates support encoding of email, DNS and IP subjectAltNames
2009-09-08 13:17:41 +02:00
d7be290643
non self-signed x509 certificates are encoded with authorityKeyIdentifier
2009-09-08 11:26:05 +02:00
5c92524449
x509 CA certificates are encoded with a subjectKeyIdentifier
2009-09-08 11:02:49 +02:00
8ab900dee9
x509 plugin supports encoding of CA basicConstraint extension
2009-09-08 10:38:02 +02:00
b7b5653386
Use macros to define --with options
2009-09-07 15:00:45 +02:00
8b3b4a244e
Removed trailing whitespaces in configure.in/Makefile.am
2009-09-07 11:48:03 +02:00
7b3814f75d
remove spaces before tabs at the beginning of lines (^( )+\t)
2009-09-04 15:02:11 +02:00
b9b8a98f47
remove spaces within tabs (\t( )+\t)
2009-09-04 15:00:19 +02:00
323f9f990f
replaces four spaces by tabs, where appropriate
2009-09-04 14:50:23 +02:00
7daf5226b7
removed trailing spaces ([[:space:]]+$)
2009-09-04 13:46:09 +02:00
d6a45127dc
plugins marked with a '!' are handled as critical: cancel if loading fails
2009-09-01 16:08:28 +02:00
f561d6f2e9
changed prefix of crl_reason_t values from CRL_ to CRL_REASON_
2009-08-31 23:21:50 +02:00
1d39663f7a
do not depend on gcrypt autoconf macros
2009-08-31 13:14:54 +02:00
735628f3e3
removed position debug output
2009-08-30 17:37:27 +02:00
bf3b8c90d0
added workaround to parse PEM encoded PGP key with KEY_RSA
2009-08-28 17:25:07 +02:00
4593ef51fd
implemented PGP Secret-Key Packet parsing
2009-08-28 17:23:58 +02:00
caf1af1d9f
fixed memleak
2009-08-28 16:16:39 +02:00
2aa67d2636
.., but a comment might be helpful
2009-08-28 09:28:39 +02:00
6be3f0f1d0
removed TODO reminder
2009-08-28 09:26:46 +02:00
be04eef270
allow choice of digest algorithm in certificate generation
2009-08-28 09:08:03 +02:00
e201f53e93
build_curve_signature() processes hash not data
2009-08-27 20:41:29 +02:00
1dbaec2177
NID_hash and NID_ec_curve were interchanged
2009-08-27 20:28:41 +02:00
ac6a0d5038
verify_signature() now processes hash not data
2009-08-27 20:18:22 +02:00
c812802482
NID_hash and NID_ec_curver were interchanged
2009-08-27 20:11:49 +02:00
10b2898d3c
verify that the ECDSA auth signature was done with the correct curve
2009-08-27 17:58:02 +02:00
472cb4ce77
distinguish between RFC 4754 (concatenated) and RFC 3279 (DER encoded) ECDSA signatures
2009-08-27 17:37:42 +02:00
8b10355c84
support generation of EC certificates
2009-08-27 13:59:30 +02:00
82749537e2
added support for SIGN_ECDSA_WITH_SHA1 signature scheme in openssl
2009-08-27 13:59:30 +02:00
eb73685dac
create algorithmIdentifier dynamically from OID database
2009-08-27 13:59:30 +02:00
09fe3c7e4c
pkcs1 encoder supports subjectPublicKeyInfo encoding
2009-08-27 13:59:30 +02:00
1a8ef8aabc
fixed memleak in openssl fingerprinting
2009-08-27 10:40:49 +02:00
b12c6d163d
do openssl fingerprinting/encoding directly, openssl provides all functions
2009-08-27 09:58:38 +02:00
083142c4a0
encoding public EC keys is not really possible without subjectPublicKeyInfo
2009-08-26 16:15:38 +02:00
df5c60bc5d
added a BUILD_FROM_FD option, supporting credential parsing from stdin
2009-08-26 13:03:23 +02:00
08ed551ce0
implemented openssl EC key generation
2009-08-26 11:23:55 +02:00
a0b850450f
fixed openssl RSA private key encoding
2009-08-26 11:23:55 +02:00
cb4f09eff3
updated agent plugin to new fingerprint/encoding API
2009-08-26 11:23:53 +02:00
8d09681559
updated pubkey plugin to new fingerprinting API
2009-08-26 11:23:52 +02:00
6b6ece636c
updated x509 plugin to public key/x509 API changes
2009-08-26 11:23:52 +02:00
e35c3e2a03
updated openssl plugin to new private/public key API, use encoder framework
2009-08-26 11:23:52 +02:00
cbd5138948
updated gcrypt plugin to new private/public key API, use encoder framework
2009-08-26 11:23:52 +02:00
741680d179
updated gmp plugin to new private/public key API, use encoder framework
2009-08-26 11:23:52 +02:00
64e77e8fbb
use credential builder API to parse trusted public keys
2009-08-26 11:23:52 +02:00
d1b3e8607e
implemented PGP fingerprinting
2009-08-26 11:23:51 +02:00
e773fe4cab
implemented pkcs1 private/public key encoding and fingerprinting
2009-08-26 11:23:51 +02:00
831520d895
gmp uses component builder to build public- from private-key
2009-08-26 11:23:51 +02:00
8380503168
gcrypt uses component builder to build public- from private-key
2009-08-26 11:23:51 +02:00
b457e08fca
moved PGP code to pluto and gpg plugin
2009-08-26 11:23:51 +02:00
7033a70fd0
gmp plugin makes use of pkcs1/pgp/dnskey plugins
2009-08-26 11:23:51 +02:00
cbfafc1125
enforce RSA_PRIME1 > RSA_PRIME2 (p > q) in PGP
2009-08-26 11:23:51 +02:00
5ef478aaee
implemented RFC3110 key builder in a plugin, added generic DNSKEY RR parsing
2009-08-26 11:23:51 +02:00
3addf4e937
renamed BUILD_BLOB_RFC_3110 to BUILD_BLOB_DNSKEY, we potentially support other key types
2009-08-26 11:23:51 +02:00
9493dd2ce0
implemented a pgp plugin providing PGP key parsing builders
2009-08-26 11:23:50 +02:00
4e3d1e804e
make use of the pkcs1 plugin in gcrypt rsa key parsing
2009-08-26 11:23:50 +02:00
3044774323
removed subjectPublicKeyInfo parsing, provided by pkcs1 plugin
2009-08-26 11:23:50 +02:00
1e0f69373a
implemented a pkcs1 plugin providing PKCS#1 key parsing builders
2009-08-26 11:23:50 +02:00
cbb62e8f4c
handle pluto specific certificates under CRED_CERTIFICATE, not as own credential kind
2009-08-26 11:23:49 +02:00
11aa7e7869
use a pluto specific credential builder to build pluto cert_t's
2009-08-26 11:23:49 +02:00
4d15129160
pass along X509 flags when loading PEM encoded data
2009-08-26 11:23:49 +02:00
280469923d
make use of the pem helper plugin to load credentials
2009-08-26 11:23:49 +02:00
c9db16b7dd
added file loading support to pem plugin, using mmap()
2009-08-26 11:23:48 +02:00
160f4c225d
moved PEM parsing functionality to its own plugin
2009-08-26 11:23:48 +02:00
3901937d14
OpenSolaris defines MUTEX_DEFAULT therefore we rename the members of the enums mutex/condvar/rwlock_type_t.
2009-08-14 13:30:59 +02:00
994b80b513
activated CAMELLIA_CBC cipher in openssl plugin
2009-08-05 22:46:53 +02:00
b6f739c13b
support of SHA224-based certificate signatures
2009-08-05 22:01:44 +02:00
def1777eca
streamlined integrity test output some more
2009-07-18 11:23:27 +02:00
6b04ba288d
streamlined debug output of integrity tests
2009-07-17 17:00:17 +02:00
233a132634
Removed an unnecessary include of a header that is not available on Mac OS X.
2009-07-15 22:42:22 +02:00
eebecebead
make ecp_x_coordinate_only = yes the default
2009-07-06 11:47:38 +02:00
21863d6361
ecp_x_coordinate only option allows ECP interoperability with MS Windows
2009-07-06 08:47:18 +02:00
876a6d737f
corrected comment
2009-07-04 09:26:36 +02:00
00fcc0f8f3
added -avoid-version to LDFLAGS, plugins are not versioned
2009-07-03 08:57:11 +02:00
a2f1bb238e
enforce correct RSA signature lenght in gcrypt
2009-06-30 12:10:30 +02:00
960e0c1040
check integrity of plugins before loading
2009-06-22 15:47:17 +02:00
31b9c10800
removed unneeded newline
2009-06-22 15:35:18 +02:00
1ea31180a0
HASH_MD2 is not implemented yet in gcrypt
2009-06-18 10:03:05 +02:00
3d7250d472
added test vector for NULL encryption
2009-06-18 09:59:24 +02:00
c233bb932a
added test vector for NULL encryption
2009-06-18 09:42:05 +02:00
21142d40d1
added md2 and md4 test vectors
2009-06-18 09:32:57 +02:00
6561694796
added 2 des test vectors
2009-06-18 08:23:51 +02:00
0e9ded6838
removed serpent and twofish plugins - use gcrypt instead
2009-06-18 07:27:40 +02:00
e1101d5994
added 2 RC5 test vectors
2009-06-17 22:34:03 +02:00
ed65740846
added 2 IDEA test vectors
2009-06-17 21:53:30 +02:00
364786b69f
added 6 serpent test vectors
2009-06-17 21:37:26 +02:00
142b7326a6
added 3 Twofish test vectors
2009-06-17 15:50:27 +02:00
a36c082da6
added one CAST-128 test vector
2009-06-17 15:24:20 +02:00
61bfc3acae
added 6 Camellia test vectors
2009-06-17 14:22:00 +02:00
22511bbd34
added 6 Camellia test vectors
2009-06-17 14:21:34 +02:00
942127a602
fixed 64 bit warning
2009-06-17 12:32:28 +02:00
c3fcdd9322
added 2 3DES-CBC and 3 AES-CBC test vectors
2009-06-17 00:08:44 +02:00
62d6da67dd
support older gcrypt libraries not defining the CAMELLIA cipher
2009-06-16 14:23:32 +02:00
24d7b25d21
fixed compiler warning
2009-06-16 14:21:55 +02:00
cd312fcc43
remove whitespace
2009-06-15 19:30:44 +02:00
25ecb8dafa
gcrypt actually does not implement IDEA
2009-06-15 18:18:04 +02:00
d32b14db5e
implemented gcrypt RSA encrypt/decrypt operations
2009-06-15 18:07:57 +02:00
810ce1f336
added a gcrypt.quick_random option to generate weak testing keys faster
2009-06-15 18:06:16 +02:00
04b348f61a
implemented IKEv1 specific SIGN_RSA_EMSA_PKCS1_NULL scheme in gcrypt
2009-06-15 14:47:39 +02:00
3176e4421f
check if RSA key is large enough to sign a chunk of data
2009-06-15 13:49:30 +02:00
e7227f0ba0
use save chunk advancing, check signature length
2009-06-15 13:37:52 +02:00
2b92fc9880
test_vectors.h is part of the distribution
2009-06-13 15:17:24 +02:00
11e6d28533
pluto supports ECDSA authentication
2009-06-12 19:59:49 +02:00
b59e239335
added SHA2 HMAC signer test vectors
2009-06-12 11:09:09 +02:00
Heiko Hund