| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
To use SSL in curl, we need to initialize the SSL library in a thread-safe
manner and provide the appropriate callbacks. As we already do that in our
crypto plugins using these libraries, we depend on these features.
This implies that we need the same plugin enabled (openssl, gcrypt) as the
curl backend is configured to use to fetch from HTTPS URIs.
|
| | |
|
| |
|
|
| |
If initialization fails, we fall back to the old behavior.
|
| | |
|
| |
|
|
| |
It seems libcurl does not always return an error message.
|
| |
|
|
| |
Fixes #688.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Starting with libgcrypt 1.6, it seems that custom locking functions are not
supported anymore. Instead, the user has to select from one of the pre-defined
set of locking functions.
Given that we have a proper threading abstraction API with optional profiling
on all platforms, this is somewhat annoying. However, there does not seem to be
a way to use custom functions, and we have no other choice than using the
provided macro magic to support all libgcrypt versions.
Fixes #630.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
On Fedora, SELinux complains about these open file descriptors when the
updown script invokes iptables. While it seems difficult to set the flag
on all file descriptors, this at least fixes those covered by the SELinux
policy.
As these two cases are in code executed while the daemon is still single
threaded, we avoid the use of atomic but not fully portable fdopen("e") or
open(O_CLOEXEC) calls.
Fixes #519.
|
| |
|
|
| |
Fixes a rather large memory leak in HTTP fetches.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
In addition that this lets AC generation fail properly if private key signing
fails, it also fixes an issue when compiling on Windows with MinGW 4.8.1, where
for some reason the attributeCertificateInfo got encoded incorrectly.
|
| |
|
|
|
|
| |
If FIPS mode has been enabled by other means, under some environments it can't
be entered again. It fails with "FIPS mode already set". To avoid it, we first
check the mode before changing it.
|
| |
|
|
|
| |
While this is valuable information, printing it for pki and other tools is
annoying.
|
| | |
|
| |
|
|
|
|
| |
As the mysql_config script is not available for Windows, we use a hardcoded
library name and no additional CFLAGS. This builds fine against the binary
MySQL Connector/C distribution.
|
| | |
|
| | |
|
| |
|
|
| |
Most Windows OpenSSL builds come with the crypto library named libeay32.
|
| |
|
|
| |
On Windows we don't have <arpa/inet.h>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
With the strongTNC REST API some errors will actually be accompanied by
a response we want to receive completely.
|
| | |
|
| | |
|
| |
|
|
|
| |
To allow enum.h to depend on utils.h definitions, avoid its direct inclusion.
Instead include utils.h, which includes enum.h as well.
|
| |
|
|
|
|
| |
These definitions are directly derived from the RFC, so it should be safe
to cast them. clang complains about the different types, so cast them
explicitly.
|
| | |
|
| |
|
|
|
|
| |
The AES code historically has different build options for various size/speed
trade-offs. We never made use of them, so just drop the obsolete code. The code
now has four hard-coded fixed tables, both inverse and original.
|
| | |
|
| |
|
|
|
| |
By marking the string/blob arguments as transient, SQLite will copy and
free them automatically.
|
| |
|
|
|
| |
As the comment indicates this was the intention in
d7be2906433a7dcfefc1fd732587865688dbfe1b all along.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Also adds several missing ones.
|
| |
|
|
|
|
|
|
|
| |
The salt, or often called implicit nonce, varies between AEAD algorithms and
their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses
3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM.
Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine
until we go for CCM mode support in TLS, which requires 4 byte nonces.
|
| |
|
|
| |
Fixes evaluation of ikev2/ocsp-untrusted-cert.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To avoid considering each cached OCSP response and evaluating its trustchain,
we limit the certificates considered for OCSP signing to:
- The issuing CA of the checked certificate
- A directly delegated signer by the same CA, having the OCSP signer constraint
- Any locally installed (trusted) certificate having the OCSP signer constraint
The first two options cover the requirements from RFC 6960 2.6. For
compatibility with non-conforming CAs, we allow the third option as exception,
but require the installation of such certificates locally.
|
| |
|
|
|
|
|
|
|
|
| |
This behavior was introduced with 6840a6fb to avoid key/signature strength
checking for the revocation trustchain as we do it for end entity certificates.
Unfortunately this breaks CA constraint checking under certain conditions, as
we merge additional intermediate/CA certificates to the auth config.
As key/signature strength checking of the revocation trustchain is a rather
exotic requirement we drop support for that to properly enforce CA constraints.
|
| |
|
|
|
| |
More specific decoders might still be needed, but the x509
plugin should not care which ones.
|
| | |
|
| |
|
|
|
|
| |
This validator checks for any attribute certificate it can find for validated
end entity certificates and tries to extract group membership information
used for connection authorization rules.
|
| |
|
|
|
| |
This allows us to find attribute certificates for a subject certificate in
credential sets.
|
| |
|
|
|
|
|
| |
While there is no widely used PEM header for attribute certificates, at least
IAIK-JCE uses BEGIN ATTRIBUTE CERTIFICATE:
http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/utils/Util.html#toPemString(iaik.x509.attr.AttributeCertificate)
|
