aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/plugins/openssl/openssl_plugin.c
Commit message (Collapse)AuthorAgeFilesLines
* 128 bit default security strength for IKE and ESP algorithmsAndreas Steffen2015-12-171-19/+19
| | | | | | | | | | | | | | | | | The default ESP cipher suite is now AES_CBC-128/HMAC_SHA2_256_128 and requires SHA-2 HMAC support in the Linux kernel (correctly implemented since 2.6.33). The default IKE cipher suite is now AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 if the openssl plugin is loaded or AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 if ECC is not available. The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been deprecated and ENCR_CHACHA20_POLY1305 has been added to the default IKE AEAD algorithms.
* 128 bit default security strength requires 3072 bit prime DH groupAndreas Steffen2015-12-141-4/+4
|
* curl: For SSL features, depend on thread-safety provided by our crypto pluginsMartin Willi2014-09-241-0/+2
| | | | | | | | | To use SSL in curl, we need to initialize the SSL library in a thread-safe manner and provide the appropriate callbacks. As we already do that in our crypto plugins using these libraries, we depend on these features. This implies that we need the same plugin enabled (openssl, gcrypt) as the curl backend is configured to use to fetch from HTTPS URIs.
* openssl: Don't re-enter FIPS mode if we are already using itMartin Willi2014-06-041-2/+3
| | | | | | If FIPS mode has been enabled by other means, under some environments it can't be entered again. It fails with "FIPS mode already set". To avoid it, we first check the mode before changing it.
* openssl: Be less verbose about FIPS mode when not running as daemonMartin Willi2014-06-041-2/+2
| | | | | While this is valuable information, printing it for pki and other tools is annoying.
* openssl: Fix includes to prevent <winsock2.h> to complain about include orderMartin Willi2014-06-041-6/+6
|
* lib: All settings use configured namespaceTobias Brunner2014-02-121-1/+1
|
* openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSLTobias Brunner2013-10-171-0/+4
| | | | OpenSSL does not include them in releases before 1.0.2.
* Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required ↵Tobias Brunner2013-10-111-3/+3
| | | | for IKEv2 anyway
* openssl: Properly log FIPS mode when enabled via openssl.confTobias Brunner2013-09-271-5/+13
| | | | | | | | | Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf it should be disabled in strongswan.conf (or the other way around). Either way, we should log whether FIPS mode is enabled or not. References #412.
* openssl: Only warn about unavailable FIPS mode if the user requested itTobias Brunner2013-05-081-1/+1
|
* openssl: Cleanup thread specific error bufferTobias Brunner2013-05-081-5/+38
|
* openssl: Don't use deprecated CRYPTO_set_id_callback() with OpenSSL >= 1.0.0Tobias Brunner2013-05-081-17/+29
|
* openssl: Add PKCS#12 parsing via OpenSSLTobias Brunner2013-05-081-0/+3
|
* openssl: Properly cleanup OpenSSL libraryTobias Brunner2013-05-081-2/+7
|
* Add support for untruncated HMAC-SHA-512Tobias Brunner2013-05-081-0/+1
|
* openssl: Define a default for FIPS_MODETobias Brunner2013-05-031-0/+4
|
* support of OpenSSL FIPS-140-2 libraryAndreas Steffen2013-04-161-0/+19
|
* openssl: The EVP GCM interface requires at least OpenSSL 1.0.1Tobias Brunner2013-03-011-0/+2
|
* openssl: Provide AES-GCM implementationTobias Brunner2013-02-281-0/+14
|
* openssl: Disable PKCS#7/CMS when building against OpenSSL < 0.9.8gTobias Brunner2013-02-201-1/+2
| | | | Fixes #292.
* Add a stub for OpenSSL PKCS#7 parsingMartin Willi2012-12-191-0/+5
|
* Moved debug.[ch] to utils folderTobias Brunner2012-10-241-1/+1
|
* openssl: Fix registration of the PUBKEY builderTobias Brunner2012-08-181-1/+1
| | | | | libtls drops support for RSA suites if it does not find an RSA backend (final builder for RSA public keys).
* Check rng return value when seeding OpenSSL RNGTobias Brunner2012-07-161-1/+5
|
* openssl: Ensure the thread ID is never zeroTobias Brunner2012-07-031-1/+3
| | | | | | This might otherwise cause problems because OpenSSL tries to lock mutexes recursively if it assumes the lock is held by a different thread e.g. during FIPS initialization.
* Use simple wrappers for HMAC based PRF and signer in openssl pluginTobias Brunner2012-06-251-2/+1
|
* Adding OpenSSL HMAC signer functions to openssl pluginAleksandr Grinberg2012-06-251-0/+20
|
* Adding OpenSSL HMAC pseudo random functions to openssl pluginAleksandr Grinberg2012-06-251-0/+17
|
* Adding OpenSSL random number functions to openssl pluginAleksandr Grinberg2012-06-251-0/+4
|
* Certificate decoding soft-depends on public key decoding of specific typesMartin Willi2012-05-021-0/+3
|
* Fixed AES key length in openssl pluginMartin Willi2011-10-141-2/+2
|
* Announce openssl features only if actually supportedMartin Willi2011-10-141-16/+64
|
* Add features support to openssl pluginMartin Willi2011-10-141-141/+118
|
* Added a (not yet implemented) plugin_t method to reload plugin configurationMartin Willi2011-04-151-0/+1
|
* Added a get_name() function to plugin_t, create_plugin_enumerator enumerates ↵Martin Willi2011-04-151-38/+43
| | | | over plugin_t
* trace back crypto algorithms to the plugins that registered themAndreas Steffen2010-12-181-36/+38
|
* Added missing include for RAND_seed and RAND_status.Tobias Brunner2010-10-211-0/+1
|
* Added a final flag to builder registration to enumerate the actually ↵Martin Willi2010-09-031-10/+10
| | | | supported algorithms
* Added support for MODP_CUSTOM to openssl pluginMartin Willi2010-09-031-0/+2
|
* Use a seperate section for each nested struct member in INIT macroMartin Willi2010-08-181-1/+5
|
* Double check that the OpenSSL RNG has been seeded, do so otherwiseMartin Willi2010-08-111-0/+33
|
* Migrated remaining classes in openssl plugin to INIT/METHOD macrosMartin Willi2010-08-101-6/+6
|
* Support module names in %smartcard specifier, streamlined smartcard buildingMartin Willi2010-08-041-1/+1
|
* Fixing compilation of the OpenSSL plugin if ENGINE support is disabled.Tobias Brunner2010-06-221-2/+8
| | | | | That is, enable compilation if OpenSSL was configured with OPENSSL_NO_ENGINE.
* Fixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.Tobias Brunner2010-06-221-3/+9
| | | | | That is, enable compilation if OpenSSL was configured with OPENSSL_NO_EC.
* Implemented X.509 CRL reading using OpenSSLMartin Willi2010-05-211-0/+5
|
* Implemented X.509 certificate reading using OpenSSLMartin Willi2010-05-211-0/+7
|
* Support decoding of subjectPublicKeyInfo in openssl without pkcs1 pluginMartin Willi2010-05-051-0/+2
|
* Added support for DH groups 22, 23 and 24, patch contributed by Joy LattenMartin Willi2010-04-191-0/+6
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-25 01:06:55 +0000