aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/credentials
Commit message (Collapse)AuthorAgeFilesLines
* Use standard unsigned integer typesAndreas Steffen2016-03-243-7/+7
|
* Fix some Doxygen issuesTobias Brunner2016-03-111-5/+5
|
* auth-cfg: Add a rule to suspend certificate validation constraintsTobias Brunner2016-03-102-0/+18
|
* credential-manager: Check cache queue when destroying trusted certificate ↵Tobias Brunner2016-03-101-1/+2
| | | | | | | | | | enumerator We already do this in the trusted public key enumerator (which internally uses the trusted certificate enumerator) but should do so also when this enumerator is used directly (since the public key enumerator has the read lock the additional call will just be skipped there).
* credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-102-3/+9
| | | | enumerator
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-042-37/+63
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* ikev2: Diversify signature scheme ruleThomas Egerer2016-03-042-30/+68
| | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-172-0/+117
|
* Refactored certificate management for the vici and stroke interfaces5.4.0dr1Andreas Steffen2015-12-122-30/+130
|
* Changed some certificate_type_names and added x509_flag_namesAndreas Steffen2015-12-113-4/+36
|
* Print OCSP single responsesAndreas Steffen2015-12-112-3/+82
|
* Standardized printing of certificate informationAndreas Steffen2015-12-112-0/+651
| | | | | | | The certificate_printer class allows the printing of certificate information to a text file (usually stdout). This class is used by the pki --print and swanctl --list-certs commands as well as by the stroke plugin.
* auth-cfg: Prefer merged rules over existing ones when moving themTobias Brunner2015-11-121-3/+3
| | | | | | This is particularly important for single valued rules (e.g. identities). When copying values this is already handled correctly by the enumerator and add().
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-062-28/+28
|
* Support BLISS signatures with SHA-3 hashAndreas Steffen2015-11-032-4/+28
|
* auth-cfg: Don't enforce EAP_RADIUSTobias Brunner2015-08-211-1/+2
| | | | | Basically the same as e79b0e07e4ab. EAP_RADIUS is also a virtual method that will identify itself as a different EAP method later.
* mem-cred: We don't need a write lock when looking for a certificateTobias Brunner2015-08-201-1/+1
|
* mem-cred: Add a method to atomically replace all certificatesTobias Brunner2015-08-202-10/+58
|
* auth-cfg: Don't enforce EAP_DYNAMICTobias Brunner2015-08-201-1/+2
| | | | | We now store the actual method on the auth config, which won't match anymore if rightauth=eap-dynamic is configured.
* auth-cfg: Matching one CA should be enough, similar to peer certificatesTobias Brunner2015-08-171-15/+20
| | | | | | | | | | Not sure if defining multiple CA constraints and enforcing _all_ of them, i.e. the previous behavior, makes even sense. To ensure a very specific chain it should be enough to define the last intermediate CA. On the other hand, the ability to define multiple CAs could simplify configuration. This can currently only be used with swanctl/VICI based configs as `rightca` only takes a single DN.
* Fixed some typosTobias Brunner2015-08-132-2/+2
|
* credential-manager: Store BLISS key strength in auth configTobias Brunner2015-03-041-0/+3
|
* auth-cfg: Add BLISS key strength constraintTobias Brunner2015-03-042-21/+43
|
* public-key: Add helper to determine acceptable signature schemes for keysTobias Brunner2015-03-042-0/+78
|
* public-key: Add helper to map signature schemes to ASN.1 OIDsTobias Brunner2015-03-042-3/+54
| | | | | | There is a similar function to map key_type_t and hasher_t to an OID, but this maps schemes directly (and to use the other function we'd have to have a function to map schemes to hash algorithms first).
* public-key: Add helper to determine key type from signature schemeTobias Brunner2015-03-042-0/+43
|
* mem-cred: Add a method to unify certificate references, without adding itMartin Willi2015-03-032-0/+31
| | | | | In contrast to add_cert_ref(), get_cert_ref() does not add the certificate to the set, but only finds a reference to the same certificate, if found.
* Allow SHA256 and SHA384 data hash for BLISS signatures.Andreas Steffen2015-02-262-0/+10
| | | | | The default is SHA512 since this hash function is also used for the c_indices random oracle.
* Started implementing BLISS signature generationAndreas Steffen2014-11-292-7/+7
|
* Store and parse BLISS private and public keys in DER and PEM formatAndreas Steffen2014-11-291-0/+4
| | | | | | | | Additionally generate SHA-1 fingerprints of raw BLISS subjectPublicKey and subjectPublicKeyInfo objects. Some basic functions used by the bliss_public_key class are shared with the bliss_private_key class.
* Created framework for BLISS post-quantum signature algorithmAndreas Steffen2014-11-292-5/+16
|
* cert-cache: Prevent that a cached issuer is freed too earlyTobias Brunner2014-10-241-7/+10
| | | | | | | | Previously we got no reference to the cached issuer certificate before releasing the lock of the cache line, this allowed other threads, or even the same thread if it replaces a cache line, to destroy that issuer certificate in cache() (or flush()) before get_ref() for the issuer certificate is finally called.
* auth-cfg: Fix crash after several reauthentications with multiple ↵Tobias Brunner2014-09-111-1/+1
| | | | | | | | | | authentication rounds Due to the issue described in c641974, purge() inadvertently destroyed CA certificates that should have been kept (while the pointer to these objects remained in the array). This lead to incorrect reference counts and after a few reauthentications with multiple authentication rounds, which cause calls to purge(TRUE), to crashes.
* credmgr: Fix copy and paste error in add_validatorThomas Egerer2014-08-291-1/+1
| | | | | | | | | This won't hurt as long as sets and validators are of the same class. But as soon as one of the object's class is changed this will cause either a compile error (best option), or result (most likely) in a crash. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* windows: Provide a sched_yield() implementationMartin Willi2014-06-041-1/+0
|
* crl: Undefine <wincrypt.h>'s CRL_REASON_* and use our enum values insteadMartin Willi2014-06-031-8/+20
|
* auth-cfg: Cast literal default value to pointer typeMartin Willi2014-05-161-1/+1
| | | | Fixes a clang warning.
* mem-cred: Replace existing equal shared keys during add_shared()Martin Willi2014-05-071-3/+56
|
* mem-cred: Replace existing equal private keys during add_key()Martin Willi2014-05-071-0/+17
|
* Added PUBKEY_RSA_MODULUS encoding typeAndreas Steffen2014-05-021-0/+2
|
* Added support for msSmartcardLogon EKUAndreas Steffen2014-04-081-10/+12
|
* Properly hash pointers for hash tables where appropriateTobias Brunner2014-03-311-17/+2
| | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket.
* auth-cfg: Declare an attribute certificate helper type to exchange acertsMartin Willi2014-03-313-2/+15
|
* x509: Replace the comma separated string AC group builder with a list based oneMartin Willi2014-03-312-4/+3
|
* x509: Integrate IETF attribute handling, and obsolete ietf_attributes_tMartin Willi2014-03-313-627/+0
| | | | | The ietf_attributes_t class is used for attribute certificates only these days, and integrating them to x509_ac_t simplifies things significantly.
* x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-313-50/+60
|
* ac: Remove unimplemented equals_holder() method from ac_tMartin Willi2014-03-311-8/+0
|
* lib: All settings use configured namespaceTobias Brunner2014-02-121-1/+1
|
* pki: Replace BUILD_FROM_FD with passing a chunk via BUILD_BLOBTobias Brunner2013-10-232-3/+0
| | | | This allows more than one builder to try parsing the data read from STDIN.
* sshkey: Add encoder for RSA keysTobias Brunner2013-09-131-0/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-25 17:11:59 +0000