[Swan-commit] Changes to ref refs/heads/master
Matt Rogers
mrogers at vault.libreswan.fi
Wed May 13 01:10:00 EEST 2015
New commits:
commit 7037550a3f9e41ace432cf3b0522aff1022d350e
Merge: 26fffb6 cc6116f
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue May 12 18:09:45 2015 -0400
Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan
commit 26fffb6af512e5aae0511130c5d18e6d876f1fc9
Merge: d0088db 8bb5216
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue May 12 18:09:22 2015 -0400
Merge branch 'nss_pkix'
commit 8bb52164a0844e4ac5093bc11104bae82ebea710
Merge: cf74d2c d0088db
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue May 12 16:55:48 2015 -0400
Merge branch 'master' into nss_pkix
commit d0088db3c48106c4e582ef162d3c2fafc659b64f
Merge: 102b630 c81fe04
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue May 12 16:53:45 2015 -0400
Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan
commit cf74d2c4594434275e72dd97ada091c8685fbf69
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue May 12 16:52:13 2015 -0400
libswan/pluto: move NSS copied code to its own file with the proper
license info
commit a5199dc90a9e942b9e0768a8892b2c084ba261ab
Merge: 29620e7 168c5f0
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue May 12 09:55:35 2015 -0400
Merge branch 'nss_pkix' of ssh://vault.libreswan.fi/srv/src/libreswan into nss_pkix
commit 29620e75dd0e8623fa1210621c1beb880b6bbd52
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue May 12 09:52:44 2015 -0400
x509: use cert->arena for temporary GNs
commit 168c5f03fb09d159a9813301ae3ab363947708d4
Merge: 2f113c3 10d6814
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue May 12 16:23:49 2015 +0300
Merge branch 'master' into nss_pkix
commit 2f113c3770247f3c1110560d518a7d02eef1d585
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon May 11 17:46:00 2015 +0300
connections.c: fix minor coding style problems
commit 561e51746a10bf54de75fa3fdea1afa66fe3e6c4
Author: Matt Rogers <mrogers at redhat.com>
Date: Sun May 10 23:32:51 2015 -0400
testing: a handful of nss-cert* test output updates
commit 3d300caa49fe41effed4d823474cffd0c1391ece
Author: Matt Rogers <mrogers at redhat.com>
Date: Sun May 10 23:14:22 2015 -0400
x509: make --listcrls display output information similar to its pre-NSS output
The only thing missing is the leading "installed" date. NSS crls do not expose
that information.
commit afcb091e2798aeb33277019167570832f4066f1c
Author: Matt Rogers <mrogers at redhat.com>
Date: Sun May 10 00:41:26 2015 -0400
x509: after f42083d9 the flags for requiring fresh CRL info caused
verification to fail on non-revoked certs.
commit d37a9efbfd72783aececdf0e1fe310b203146580
Merge: 7b994fc 102b630
Author: Matt Rogers <mrogers at redhat.com>
Date: Sat May 9 02:09:55 2015 -0400
Merge branch 'master' into nss_pkix
Conflicts:
testing/pluto/nss-cert-03-ikev2/west.console.txt
testing/pluto/nss-cert-04/west.console.txt
testing/pluto/nss-cert-05/west.console.txt
testing/pluto/nss-cert-chain-02/west.console.txt
testing/pluto/nss-cert-crl-02/west.console.txt
testing/pluto/nss-cert-ocsp-02-strict/west.console.txt
testing/pluto/nss-cert-ocsp-02/west.console.txt
testing/pluto/nss-cert-ocsp-03-strict/east.console.txt
testing/pluto/nss-cert-ocsp-03-strict/west.console.txt
testing/pluto/nss-cert-ocsp-04-strict/west.console.txt
testing/pluto/nss-cert-ocsp-06/west.console.txt
commit 102b630bda9333992cf4846ea0215f8a0fcbd12c
Author: Matt Rogers <mrogers at redhat.com>
Date: Sat May 9 01:55:17 2015 -0400
Revert "pluto: Fix bogus "no RSA public key known for '%fromcert'""
This reverts commit 9647eb0df272f3cfc4d9232efee35ceb607d2ef7.
Pre-merge revert to avoid conflict
commit 7b994fcb4214679f3c036d3d35e50c79f8eaad67
Author: Matt Rogers <mrogers at redhat.com>
Date: Sat May 9 01:53:07 2015 -0400
testing: add nss-cert-07 for testing DN order matching
commit 5d3f34fe8e08dd244b373d0da28173fba0821099
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 8 18:02:11 2015 -0400
pluto: add NSS based DN matching functions, wildcard and non-wildcard variants
These improve DN matching by allowing ID_DER_ASN1_DN names to be specified
in any order, eg. rightid="C=US, O=Org, OU=Unit, CN=host" will match to
"C=US, CN=host, O=Org, OU=Unit".
commit a690cce5b300086d053f17822ff87b116cb7da77
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 8 11:44:13 2015 -0400
x509: use dntoa printouts for listing cert subject and issuer names
commit a23802733b7d82dae732c9ebba2ef5f5310c2e0d
Author: Matt Rogers <mrogers at redhat.com>
Date: Thu May 7 01:16:20 2015 -0400
x509: Use a cached CRL even with crlcheckinterval=0
commit ae40f131d92e80101592fd3981f44ce9aec5ab50
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed May 6 15:40:48 2015 -0400
testing: add nss-cert-crl-02-fetch
commit b1a9daba3ec508eb32bf4931e296055d1cd70c87
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed May 6 15:31:07 2015 -0400
x509: restore the original CRL checking behavior that requests a fetch
attempt when there is no CRL cached, rather than only on CRLs that need
updated.
commit 1d5ccc9e0db7fda5f47c7662beece433332aba02
Author: Matt Rogers <mrogers at redhat.com>
Date: Mon May 4 17:56:56 2015 -0400
fix --listcrls command by shuffling the order of option_enums LST_ values
commit a47d7ae5a4b010ff968649d1ee1924e6b9426bb9
Author: Matt Rogers <mrogers at redhat.com>
Date: Mon May 4 17:00:19 2015 -0400
Switch to DER_DecodeTimeChoice() for decoding CRL time
commit b3a71a7d00788122eb2121d77d14fa31dd9158d9
Author: Matt Rogers <mrogers at redhat.com>
Date: Mon May 4 16:57:43 2015 -0400
Avoid listing all of a CRL's revoked entries (this information can
be gathered from crlutil if needed)
commit f42083d99675af322fbbf9b80194846ea139474f
Author: Matt Rogers <mrogers at redhat.com>
Date: Mon May 4 13:20:49 2015 -0400
Force NSS to not attempt a remote CRL fetch during verification,
since we are still relying on the fetch thread for that. The inline
fetching caused a one minute deadlock of pluto when the URI was
unreachable
commit a01da061d60670328d7e64421f8aadec786bb8d7
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 1 18:16:46 2015 -0400
Fix compile without LIBCURL
commit f01e3de46b353c2bbe6219c679d3dd6927321ebb
Author: Herbert Xu <herbert at gondor.apana.org.au>
Date: Fri May 1 05:59:22 2015 +0800
pluto: Fix bogus "no RSA public key known for '%fromcert'"
When refine_host_connection tests against a %fromcert RW connection
followed by other right=%any connections with fixed IDs (e.g.,
@hostname), it will lose the fromcert setting. So when it does
eventually return with the %fromcert RW connection fromcert will
be set to false and therefore the actual certificate ID won't be
copied into spd.that.id, resulting in a bogus "no RSA public key
known for '%fromcert'".
This error won't happen if the order of matching is reversed and
the %fromcert connection gets tested last. So that's why the
conencton sometimes works but often fails with an authentication
error.
This patch fixes it by keeping the fromcert setting of the best
match.
Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
Signed-off-by: Matt Rogers <mrogers at redhat.com>
commit 66853def18d0ea9b429e14865d323acb3b858477
Author: Herbert Xu <herbert at gondor.apana.org.au>
Date: Thu Apr 30 18:07:47 2015 +0800
pluto: Fix NSS certificate crash
When we instantiate a connection we simply copy the certificate
over, without getting a reference count over the new certificate
reference, resulting in a bogus certificate when the instance is
deleted.
Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
Signed-off-by: Matt Rogers <mrogers at redhat.com>
commit 2485ca8312add940dfc75e65261daec60a7ec047
Merge: c53412d 6094bb3
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 1 13:46:46 2015 -0400
Merge branch 'nss_pkix' of ssh://vault.libreswan.fi/srv/src/libreswan into nss_pkix
commit c53412d1fb0fcd15736c1b9c407902cb1255e693
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 1 11:56:08 2015 -0400
display proper hex certificate serial numbers
commit b75356a51b596b6c8abd16666abf996acd433521
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 1 03:38:46 2015 -0400
testing: large update to x509 related tests
commit b1738539c73334c2cc820fb59a66368600221a07
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 1 03:34:46 2015 -0400
set ocspd.conf to not just listen on localhost and lower thread count
commit 78c57b20116723ec7d6ddfc12138ae071466436c
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 1 03:33:02 2015 -0400
Change C=ca to C=CA for test cert subjects
commit fb507bec529d6983008e36596faa25fccd8ed635
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 1 03:30:30 2015 -0400
set NSS db location also when using --ipsecdir or ipsecdir=
commit b6801b8e49cce8b153f42aa53d017d947a46300b
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri May 1 03:27:32 2015 -0400
Check both CA and root status of root certs going into the trust list
commit 6094bb37aaa3d34d7223bba3d831e26e54061721
Author: Herbert Xu <herbert at gondor.apana.org.au>
Date: Thu Apr 30 10:48:34 2015 -0400
pluto: fix crt_tmp_import() to prevent dereference unallocated memory
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 5d654571d15fccf3c2d352d1a44c69b57791ae06
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 29 16:08:06 2015 -0400
testing: add nss-cert-02-eku and nss-cert-02-eku-combined tests
commit cfeac083e0b8d41a789eb42fba2b0d836bee37db
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 29 16:04:44 2015 -0400
testing: make proper serverAuth, clientAuth, KU certs
commit d4591c973aa29a79271a9558348abc408da80ce7
Merge: e4adaaa 6b8edb7
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 29 01:51:26 2015 -0400
Merge branch 'nss_pkix' of ssh://vault.libreswan.fi/srv/src/libreswan into nss_pkix
commit e4adaaa63284614b35fc9e00012ec2e6ce198b31
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 29 01:40:11 2015 -0400
fix serverAuth verify failover logic - comparing get_node_error_status()
results to SEC_ERROR_ was incorrect
commit 369f58c95c1cae4199b4d763ba09fa04b06b25f7
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 29 01:34:47 2015 -0400
Add serverAuth EKU to test certs - this way the failover logic is always tested
commit 26299b513526ca7c2d6d62863331189f0b45b566
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 29 00:42:06 2015 -0400
testing: add nss-cert-06 (ID_FQDN x509 connswitch)
commit eb75b56799e5383969a17fdad258a8eda3300548
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 29 00:22:29 2015 -0400
Add DNS subjectAltName extensions to the testing certs
commit 4f6cc137a7647147be974ecd02f8b09c20018904
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 29 00:20:03 2015 -0400
restore the adding of SAN pubkeys for local and remote certs, necessary
for using peer ID_FQDN IDs
commit 6b8edb7a298d64a00642e2cc5598741aa9ea9121
Merge: efe1198 92658b1
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Apr 27 10:18:12 2015 -0400
Merge branch 'master' into nss_pkix
commit efe11989553f4fdc77359d2e8e796c12abfc1f16
Author: Matt Rogers <mrogers at redhat.com>
Date: Sun Apr 26 17:03:48 2015 -0400
Add my testing ssh key to authorized_keys
commit f8a973a80d5ce418ee2af2d6831c84f22ce73d53
Author: Matt Rogers <mrogers at redhat.com>
Date: Sun Apr 26 17:02:41 2015 -0400
fix connection switching for x509 roadwarriors
- restore peer ca default of %any (instead of %same)
- verify cert against all root CAs in NSS, as connection refining
handles the specific CA match
- ikevX_decode_cert returns FALSE only for revoked certs and internal
errors. This allows connection refining to happen otherwise
commit e1bb41f9f661b42c50eac82b98b56737dc90fbfc
Merge: 21a831b 2ebd96e
Author: Matt Rogers <mrogers at redhat.com>
Date: Sun Apr 26 16:18:17 2015 -0400
Merge branch 'master' into nss_pkix
commit 21a831b57d0416adccdd38aa15fe268c1dda8d70
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 22 15:09:57 2015 -0400
x509: add a fallback verify to the NSS 'server' usage profile
Until NSS has an IKE profile to use this will allow support for
certs that fit under either the 'client' or 'server' profile.
commit 7532e66fad9711c75be08649da2751ce079320b4
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Apr 22 15:03:26 2015 -0400
testing: update for cert_verify pkix usage workaround
commit 4488f732e7b6c44c43b3c741a81fa5ff42e3c717
Merge: d1880db 4079ff0
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue Apr 21 01:19:24 2015 -0400
Merge branch 'nss_pkix' of ssh://vault.libreswan.fi/srv/src/libreswan into nss_pkix
commit d1880dbf97dbe6e3b1099db18fc9c794df23cb35
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue Apr 21 01:08:53 2015 -0400
Add returns to ikev*_decode_cert()
Rather than relying on the assumption that when an incoming
certificate fails verification the connection will not have a
peer public key (and abort for that reason), have the exchange
abort immediately.
commit 4079ff0378dcffc867ebea28a66250ecd8afd7de
Merge: 9de9195 15d1fe9
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 15 12:13:40 2015 -0400
Merge branch 'master' into nss_pkix
commit 9de9195f344c6acef649afc3b0b9e047d21d85e2
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue Apr 14 01:13:22 2015 -0400
rework id-from-certificate handling code
- fixes a group of leaks from generalname conversions
- some renaming and refactoring
- certificates no longer have all subjectAltNames added as
pubkey entries regardless of the use of a subjectAltName ID
commit e67e48b1d9e2cf75c38d2c0c31e56e63b10e5166
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue Apr 7 15:06:19 2015 -0400
testing: nss-cert-* test CA DN correction
commit 6b39de32e9203e5a3e176f37724c4b9cf7b1c280
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue Apr 7 13:25:15 2015 -0400
testing: update cert_verify test programs for PKIX verification
commit db2458adcc6adcf2e6977247a81576c15f9cdca3
Author: Matt Rogers <mrogers at redhat.com>
Date: Tue Apr 7 13:20:48 2015 -0400
switch to NSS CERT_PKIXVerifyCert() method
More information about the Swan-commit
mailing list