Seems to be required on macOS (libtls tests didn't run before the recent
implicit enabling via pki). Other platforms apparently let accept() fail
if the socket is shutdown/closed in teardown_creds(), macOS apparently
doesn't do that.
When an X.509 certificate has to be renewed it is helpful to use
the old PKCS#10 certificate request as a template, so that the
distinguishedName (DN), the subjectAlternativeName (SAN) and
a certificate profile name don't have to be typed-in again.
The old public key in the existing certreq is replaced with the
new key and the signature is re-generated using the new private key.
In order for libtls to run with the gcrypt libraryi, additionally the
random, pem, gcm, hmac, kdf, x509, constraints, and the curve2519
plugins are needed.
The botan library additionally need the hmac (for HMAC_MD5), x509 and
constraints plugins.
The wolfssl library additionally need the pkcs1, pkcs8, x509 and constraints
plugins.
With the --keyid option private keys stored on a smartcard or in
a TPM 2.0 can be used for public key based client authentication.
With the --certid option the corresponding client certificate
can reside on a smartcard or a TPM 2.0.
The gcm plugin has been added to the default plugins and all
certificate types are loaded to allow the libtls socket unit
tests to run with the strongSwan default plugins.
Currently when a TLS client doesn't have a certificate, it doesn't
send a certficiate payload upon receiving a certificate request
from the TLS server. According to the TLS 1.2 and 1.3 RFCs an
empty certificate payload must be sent.
The msCertificateTypeExtension OID (1.3.6.1.4.1.311.20.2) can
be used in a PKCS#10 certificate request to define a certificate
profile. It consists of an UTF8 string.
pki: profile option
The "ipsec scepclient" tool has been removed and replaced by the
pki subcommands "pki --scep" and "pki --scepca" which implement the
new SCEP RFC 8894 standard that was released in September 2020 and
which supports trusted "certificate renewal" based on the existing
client certificate.
Rename `encrypt` methods to avoid the following build failure when wolfSSL
is built with --enable-opensslextra:
In file included from ../../../../src/libstrongswan/utils/utils.h:59,
from ../../../../src/libstrongswan/library.h:101,
from wolfssl_common.h:29,
from wolfssl_aead.c:23:
wolfssl_aead.c:90:16: error: conflicting types for 'encrypt'; have '_Bool(union <anonymous>, chunk_t, chunk_t, chunk_t, chunk_t *)'
90 | METHOD(aead_t, encrypt, bool,
| ^~~~~~~
../../../../src/libstrongswan/utils/utils/object.h:99:20: note: in definition of macro 'METHOD'
99 | static ret name(union {iface *_public; this;} \
| ^~~~
In file included from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/wc_port.h:573,
from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/types.h:35,
from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/logging.h:33,
from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/ssl.h:35,
from wolfssl_common.h:64,
from wolfssl_aead.c:23:
/home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/unistd.h:149:6: note: previous declaration of 'encrypt' with type 'void(char *, int)'
149 | void encrypt(char *, int);
| ^~~~~~~
Closesstrongswan/strongswan#1201
Since the allocated data was smaller than sizeof(eap_mschapv2_header_t),
the following compile error was triggered (with newer GCC versions):
eap_mschapv2.c: In function 'process_peer_success':
eap_mschapv2.c:945:12: error: array subscript 'eap_mschapv2_header_t[0]' is partly outside array bounds of 'unsigned char[6]' [-Werror=array-bounds]
945 | eap->code = EAP_RESPONSE;
| ^~
In file included from /usr/include/stdlib.h:587,
from ../../../../src/libstrongswan/utils/printf_hook/printf_hook.h:26,
from ../../../../src/libstrongswan/library.h:101,
from ../../../../src/libcharon/sa/eap/eap_method.h:28,
from eap_mschapv2.h:27,
from eap_mschapv2.c:18:
eap_mschapv2.c:944:15: note: object of size 6 allocated by '__builtin_alloca'
944 | eap = alloca(len);
| ^~~~~~
Closesstrongswan/strongswan#1188Closesstrongswan/strongswan#1215
The content field of type OCTET STRING of a ContentInfo object
with ContentType Data
ContentInfo ::= SEQUENCE {
contentType ContentType,
content
[0] EXPLICIT OCTET STRING OPTIONAL
is optional and can be missing if no data is available
