[Swan-commit] Changes to ref refs/heads/master
Andrew Cagney
cagney at vault.libreswan.fi
Thu Jan 17 19:00:53 UTC 2019
New commits:
commit 0ac1aa502385bfdc218f39479d92068cfd83428a
Merge: ae0f08c ec5c82b
Author: Andrew Cagney <cagney at gnu.org>
Date: Thu Jan 17 13:38:40 2019 -0500
x509: store certs from message in the state
Store decoded certificate payloads in the state (as both certificates
and pubkeys) so that their lifetime is tied to the lifetime of the IKE
SA.
For IKEv2, split the certificate decode/verify (performed once before
a connection can switch) and id-check operations. Suspect
match_certs_id() makes .st_peer_alt_id somewhat redundant.
When trying to switch connections (CA search) and authenticate (pubkey
search), try the IKE SA's pubkey DB before the global pubkey DB.
Suspect there are more cases that need changing.
Because the SA specifc pubkeys are not stored in the global
pubkey DB they are no longer visible. For instance, ikev2-ecdsa-01
and nss-cert-nosecret need an update.
Merge commit 'ec5c82b9de8051d02dac19a231a9812dcf0dc0fe'
commit ec5c82b9de8051d02dac19a231a9812dcf0dc0fe
Author: Andrew Cagney <cagney at gnu.org>
Date: Wed Jan 16 13:20:57 2019 -0500
x509: store certificate payload pubkey's in state
When looking for the peer's CA and/or the peer's pubkey, try the
state's pubkey DB and then the global pubkey DB.
commit 57af196756b3d651a9ac0bada0e241ba854cf6f4
Author: Andrew Cagney <cagney at gnu.org>
Date: Wed Jan 16 12:36:56 2019 -0500
x509: explicitly pass &pluto_pubkeys (aka pubkey_db) into lookup/add functions
commit 89eeb35b81545e43379a3a76d0296883fd2a7ab1
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Jan 13 22:49:41 2019 -0500
x509: split interface into IKEv1, IKEv2; and IKEv2 into decode and verify
So that, IKEv2 only decodes the certificates once (and not once
per connection check). Force IKEv2 certificates to be stored
in the IKE SA.
commit b1e5f9aaf856b649fa18df5ee33a07d1d492af84
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Jan 13 16:43:26 2019 -0500
x509: move code matching PEER_ID with END_CERT to match_certs_id()
Keep old code working by including an UPDATE connection parameter.
When non-NULL and %fromcert, its contents may be scribbled on.
commit 9bc2e4e7f61ec5e4bfd303614974559ce389fbf4
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Jan 13 16:17:09 2019 -0500
x509: eliminate VERIFY_RET* replacing verify_and_cache_chain() with find_and_verify_certs()
Later returns verified certs; and sets CRL_NEEDED and BAD as
side effects.
For CRL_NEEDED clarify that this only applies when strict
crl checking is in force.
Sets things up for a separate check ID function.
commit 03c46cc6f15cbe0a21864db3880d6beb9ce62944
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Jan 13 13:48:43 2019 -0500
x509: convert rev_opts[] into a struct
commit cae5f8138f2b7c0a9cb2b30bf29029916862f0e6
Author: Andrew Cagney <cagney at gnu.org>
Date: Mon Jan 14 09:03:17 2019 -0500
testing: don't expect a certificate count in debug output
commit 41ee63782e4b443e2d184c3ad477018f9dc243ac
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Jan 13 11:52:48 2019 -0500
x509: decode the certs directly from the message digest
Rather than first copy them to the heap.
commit 5e61a6409dda96a3972d6eb655f4fa9c93dc456f
Author: Andrew Cagney <cagney at gnu.org>
Date: Thu Jan 10 20:36:08 2019 -0500
x509: plug certificate payload leak
Instead of letting them accumulate in nss NSS, attach them to the
state and release them when the state is deleted.
The theory is that the certs need to linger for as long as the state
so that the CRL code can find them and trigger a CRL fetch.
Use CERT_NewTempCertificate() to do the import.
More information about the Swan-commit
mailing list