Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | testing: Converted gcrypt-ikev1 to systemd | Andreas Steffen | 2017-11-10 | 8 | -31/+63 |
| | |||||
* | testing: Converted af-alg to systemd | Andreas Steffen | 2017-11-10 | 9 | -35/+72 |
| | |||||
* | testing: Enable systemd | Andreas Steffen | 2017-11-10 | 3 | -3/+4 |
| | |||||
* | testing: Updated some descriptions | Andreas Steffen | 2017-11-10 | 3 | -9/+9 |
| | |||||
* | libtpmtss: Added missing argument in hasher_from_signature_scheme() | Andreas Steffen | 2017-11-10 | 1 | -1/+1 |
| | |||||
* | charon-tkm: Unlink PID file after deinit | Tobias Brunner | 2017-11-10 | 1 | -11/+31 |
| | | | | | | Same change as for charon in the previous commit. References #2460. | ||||
* | charon: Unlink PID file after daemon deinit (i.e. after unloading plugins etc.) | Tobias Brunner | 2017-11-10 | 1 | -9/+14 |
| | | | | | | | | Make sure, though, that we only remove the file if we actually created it (e.g. not for --help or --version). And do so before deinitializing libstrongswan due to leak detective. Fixes #2460. | ||||
* | unit-tests: Rename targets for libstrongswan and kernel-netlink | Thomas Egerer | 2017-11-09 | 2 | -10/+10 |
| | | | | | | | | | libstrongswan and kernel-netlink are the only two components which do not adhere to the naming scheme used for all other tests. If the tests are run by an external application this imposes problems due to clashing names. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> | ||||
* | Merge branch 'rsassa-pss' | Tobias Brunner | 2017-11-08 | 116 | -593/+8494 |
|\ | | | | | | | | | | | | | | | | | | | | | This adds support for RSASSA-PSS signatures in IKEv2 digital signature authentication (RFC 7427), certificates and CRLs etc., and when signing credentials via pki tool. For interoperability with older versions, the default is to use classic PKCS#1 signatures. To use PSS padding either enable rsa_pss via strongswan.conf or explicitly use it either via ike:rsa/pss... auth token or the --rsa-padding option of the pki tool. References #2427. | ||||
| * | auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf | Tobias Brunner | 2017-11-08 | 4 | -16/+94 |
| | | | | | | | | Also document the rsa/pss prefix. | ||||
| * | pki: Enable PSS padding if enabled in strongswan.conf | Tobias Brunner | 2017-11-08 | 5 | -5/+11 |
| | | |||||
| * | pki: Optionally generate RSA/PSS signatures | Tobias Brunner | 2017-11-08 | 13 | -45/+179 |
| | | |||||
| * | pki: Indent usage lines properly automatically | Tobias Brunner | 2017-11-08 | 5 | -13/+13 |
| | | |||||
| * | Treat RSASSA-PSS keys like rsaEncryption RSA keys | Tobias Brunner | 2017-11-08 | 3 | -1/+20 |
| | | | | | | | | | | | | | | | | | | | | In theory we should treat any parameters and the identifier itself as restriction to only use the key to create signatures accordingly (e.g. only use RSA with PSS padding or even use specific hash algorithms). But that's currently tricky as we'd have to store and pass this information along with our private keys (i.e. use PKCS#8 to store them and change the builder calls to pass along the identifier and parameters). That would require quite some work. | ||||
| * | openssl: Add support for signature schemes with parameters | Tobias Brunner | 2017-11-08 | 2 | -47/+34 |
| | | |||||
| * | pki: Properly forward digest to attribute certificate builder | Tobias Brunner | 2017-11-08 | 1 | -0/+1 |
| | | |||||
| * | x509: Add support for signature schemes with parameters | Tobias Brunner | 2017-11-08 | 5 | -143/+220 |
| | | | | | | | | | | Also adds support for specifying the hash algorithm for attribute certificate signatures. | ||||
| * | builder: Add builder option to pass signature scheme and params | Tobias Brunner | 2017-11-08 | 2 | -1/+4 |
| | | |||||
| * | ikev2: Use helpers to build signature auth data | Tobias Brunner | 2017-11-08 | 1 | -40/+4 |
| | | |||||
| * | signature-params: Add helpers to parse/build ASN.1 algorithmIdentifier for ↵ | Tobias Brunner | 2017-11-08 | 3 | -0/+196 |
| | | | | | | | | signature schemes | ||||
| * | ikev2: Enumerate RSA/PSS schemes and use them if enabled | Tobias Brunner | 2017-11-08 | 6 | -38/+67 |
| | | |||||
| * | ikev2: Support signing with RSASSA-PSS via RFC 7427 signature auth | Tobias Brunner | 2017-11-08 | 1 | -6/+21 |
| | | |||||
| * | signature-params: Use helper to build MGF1 algorithmIdentifier | Tobias Brunner | 2017-11-08 | 1 | -2/+2 |
| | | |||||
| * | asn1: Add helper function to create algorithmIdentifier with parameters | Tobias Brunner | 2017-11-08 | 2 | -6/+23 |
| | | |||||
| * | ikev2: Verify RSASSA-PSS signatures via RFC 7427 signature auth | Tobias Brunner | 2017-11-08 | 1 | -19/+34 |
| | | |||||
| * | keymat_v2: Pass/receive signature schemes as signature_param_t objects | Tobias Brunner | 2017-11-08 | 2 | -28/+58 |
| | | |||||
| * | auth-cfg: Parse rsa/pss auth tokens | Tobias Brunner | 2017-11-08 | 2 | -25/+136 |
| | | |||||
| * | auth-cfg: Store signature schemes as signature_params_t objects | Tobias Brunner | 2017-11-08 | 10 | -67/+116 |
| | | | | | | | | | | Due to circular references the hasher_from_signature_scheme() helper does not take a signature_params_t object. | ||||
| * | certificate: Return signature scheme and parameters from issued_by() method | Tobias Brunner | 2017-11-08 | 29 | -72/+124 |
| | | | | | | | | | | This also required some include restructuring (avoid including library.h in headers) to avoid unresolvable circular dependencies. | ||||
| * | signature-params: Add helper struct for signature scheme and parameters | Tobias Brunner | 2017-11-08 | 3 | -18/+319 |
| | | |||||
| * | android: Add support for creating RSASSA-PSS signatures via JNI | Tobias Brunner | 2017-11-08 | 1 | -2/+142 |
| | | |||||
| * | unit-tests: Add RSA-PSS signature tests with specific salts | Tobias Brunner | 2017-11-08 | 1 | -92/+818 |
| | | |||||
| * | gcrypt: Add support for static salts when signing with RSA-PSS | Tobias Brunner | 2017-11-08 | 1 | -6/+17 |
| | | |||||
| * | gmp: Add support for static salts when signing with RSA-PSS | Tobias Brunner | 2017-11-08 | 1 | -2/+6 |
| | | |||||
| * | signature-params: Optionally pass a specific salt value when signing | Tobias Brunner | 2017-11-08 | 1 | -0/+2 |
| | | |||||
| * | unit-tests: Warn if we skip RSA tests due to dependencies | Tobias Brunner | 2017-11-08 | 1 | -0/+11 |
| | | |||||
| * | unit-tests: Add ability to issue a warning message for a test case | Tobias Brunner | 2017-11-08 | 3 | -6/+116 |
| | | | | | | | | | | This way we can warn if we e.g. skipped actually doing something due to dependencies (otherwise the test case would just appear to have succeeded). | ||||
| * | mgf1: Add support for SHA-224/384 based MGF1 | Tobias Brunner | 2017-11-08 | 2 | -1/+11 |
| | | |||||
| * | xof: Add identifiers for MGF1 XOFs based on SHA-224/384 | Tobias Brunner | 2017-11-08 | 2 | -5/+13 |
| | | |||||
| * | gmp: Use helper to determine XOF type | Tobias Brunner | 2017-11-08 | 2 | -28/+10 |
| | | |||||
| * | xof: Add helper to determine MGF1 XOF type from hash algorithm | Tobias Brunner | 2017-11-08 | 2 | -0/+38 |
| | | |||||
| * | gcrypt: Add support for RSA-PSS signatures | Tobias Brunner | 2017-11-08 | 3 | -31/+127 |
| | | | | | | | | | | | | | | | | For salt lengths other than 20 this requires 0bd8137e68c2 ("cipher: Add option to specify salt length for PSS verification."), which was included in libgcrypt 1.7.0 (for Ubuntu requires 17.04). As that makes it pretty much useless for us (SHA-1 is a MUST NOT), we require that version to even provide the feature. | ||||
| * | gcrypt: Register supported RSA signature/verification schemes | Tobias Brunner | 2017-11-08 | 1 | -0/+16 |
| | | |||||
| * | configure: Enable mgf1 plugin if gmp plugin is enabled | Tobias Brunner | 2017-11-08 | 1 | -1/+1 |
| | | |||||
| * | gmp: Add support for RSASSA-PSS signature verification | Tobias Brunner | 2017-11-08 | 2 | -2/+140 |
| | | |||||
| * | gmp: Add support for RSASSA-PSS signature creation | Tobias Brunner | 2017-11-08 | 2 | -0/+130 |
| | | |||||
| * | unit-tests: Add FIPS 186-4 RSASSA-PSS test vectors | Tobias Brunner | 2017-11-08 | 1 | -0/+1629 |
| | | | | | | | | | | | | | | | | Since not all implementations allow setting a specific salt value when generating signatures (e.g. OpenSSL doesn't), we are often limited to only using the test vectors with salt length of 0. We also exclude test vectors with SHA-1, SHA-224 and SHA-384. | ||||
| * | unit-tests: Create and verify some RSA PSS signatures | Tobias Brunner | 2017-11-08 | 1 | -3/+25 |
| | | |||||
| * | openssl: Add support for verifying RSASSA-PSS signatures | Tobias Brunner | 2017-11-08 | 2 | -3/+142 |
| | | |||||
| * | openssl: Add support for creating RSASSA-PSS signatures | Tobias Brunner | 2017-11-08 | 2 | -5/+132 |
| | |