aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* x509: Check return value when signing attribute certificatesMartin Willi2014-06-041-9/+16
| | | | | | In addition that this lets AC generation fail properly if private key signing fails, it also fixes an issue when compiling on Windows with MinGW 4.8.1, where for some reason the attributeCertificateInfo got encoded incorrectly.
* openssl: Don't re-enter FIPS mode if we are already using itMartin Willi2014-06-041-2/+3
| | | | | | If FIPS mode has been enabled by other means, under some environments it can't be entered again. It fails with "FIPS mode already set". To avoid it, we first check the mode before changing it.
* openssl: Be less verbose about FIPS mode when not running as daemonMartin Willi2014-06-041-2/+2
| | | | | While this is valuable information, printing it for pki and other tools is annoying.
* sqlite: Avoid name clash when building on WindowsMartin Willi2014-06-041-2/+2
|
* mysql: Add Windows supportMartin Willi2014-06-042-5/+8
| | | | | | As the mysql_config script is not available for Windows, we use a hardcoded library name and no additional CFLAGS. This builds fine against the binary MySQL Connector/C distribution.
* openssl: Fix includes to prevent <winsock2.h> to complain about include orderMartin Willi2014-06-042-6/+8
|
* openssl: Undef OpenSSLs X509_NAME defined by <wincrypt.h>Martin Willi2014-06-041-0/+6
|
* openssl: Check and link against libeay32 instead of libcrypto on WindowsMartin Willi2014-06-041-1/+1
| | | | Most Windows OpenSSL builds come with the crypto library named libeay32.
* sha1: Include <library.h> instead of directly including <arpa/inet.h>Martin Willi2014-06-042-4/+3
| | | | On Windows we don't have <arpa/inet.h>
* x509: Undef OCSP_RESPONSE from <wincrypt.h> before using itMartin Willi2014-06-041-0/+5
|
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-0447-49/+48
|
* windows: Provide wrappers for dlopen() function familyMartin Willi2014-06-031-0/+2
|
* curl: Don't set CURLOPT_FAILONERRORTobias Brunner2014-05-311-14/+5
| | | | | With the strongTNC REST API some errors will actually be accompanied by a response we want to receive completely.
* soup: Add support to retrieve the response codeTobias Brunner2014-05-191-2/+14
|
* curl: Add support to return the response codeTobias Brunner2014-05-191-1/+27
|
* enum: Don't directly include enum.hMartin Willi2014-05-162-3/+2
| | | | | To allow enum.h to depend on utils.h definitions, avoid its direct inclusion. Instead include utils.h, which includes enum.h as well.
* unbound: Explicitly cast from ldns RR type/class to our typesMartin Willi2014-05-161-2/+2
| | | | | | These definitions are directly derived from the RFC, so it should be safe to cast them. clang complains about the different types, so cast them explicitly.
* x509: Remove some unused ASN1 OID constantsMartin Willi2014-05-162-25/+0
|
* aes: Remove unused build variantsMartin Willi2014-05-161-622/+65
| | | | | | The AES code historically has different build options for various size/speed trade-offs. We never made use of them, so just drop the obsolete code. The code now has four hard-coded fixed tables, both inverse and original.
* Added PUBKEY_RSA_MODULUS encoding typeAndreas Steffen2014-05-021-12/+35
|
* sqlite: Allow query arguments to be freed before starting the enumerationTobias Brunner2014-04-301-2/+4
| | | | | By marking the string/blob arguments as transient, SQLite will copy and free them automatically.
* x509: Don't include authKeyIdentifier in self-signed certificatesTobias Brunner2014-04-091-1/+1
| | | | | As the comment indicates this was the intention in d7be2906433a7dcfefc1fd732587865688dbfe1b all along.
* x509: Initialize certs when building optionalSignature for OCSP requestsTobias Brunner2014-04-091-1/+1
|
* Added support for msSmartcardLogon EKUAndreas Steffen2014-04-081-3/+10
|
* Initialize m1 to suppress compiler warningAndreas Steffen2014-04-071-1/+1
|
* test-vectors: Renumber AES-GCM test vectors according to original sourceTobias Brunner2014-03-312-16/+100
| | | | Also adds several missing ones.
* aead: Support custom AEAD salt sizesMartin Willi2014-03-318-25/+68
| | | | | | | | | The salt, or often called implicit nonce, varies between AEAD algorithms and their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses 3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM. Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine until we go for CCM mode support in TLS, which requires 4 byte nonces.
* revocation: Log error if no OCSP signer candidate foundMartin Willi2014-03-311-1/+1
| | | | Fixes evaluation of ikev2/ocsp-untrusted-cert.
* revocation: Restrict OCSP signing to specific certificatesMartin Willi2014-03-311-7/+63
| | | | | | | | | | | | | To avoid considering each cached OCSP response and evaluating its trustchain, we limit the certificates considered for OCSP signing to: - The issuing CA of the checked certificate - A directly delegated signer by the same CA, having the OCSP signer constraint - Any locally installed (trusted) certificate having the OCSP signer constraint The first two options cover the requirements from RFC 6960 2.6. For compatibility with non-conforming CAs, we allow the third option as exception, but require the installation of such certificates locally.
* revocation: Don't merge auth config of CLR/OCSP trustchain validationMartin Willi2014-03-311-39/+24
| | | | | | | | | | This behavior was introduced with 6840a6fb to avoid key/signature strength checking for the revocation trustchain as we do it for end entity certificates. Unfortunately this breaks CA constraint checking under certain conditions, as we merge additional intermediate/CA certificates to the auth config. As key/signature strength checking of the revocation trustchain is a rather exotic requirement we drop support for that to properly enforce CA constraints.
* x509: CERT_DECODE actually requires KEY_ANYTobias Brunner2014-03-311-3/+1
| | | | | More specific decoders might still be needed, but the x509 plugin should not care which ones.
* pkcs1: KEY_ANY public key decoder soft depends on specific decodersTobias Brunner2014-03-311-0/+3
|
* acert: Implement a plugin finding, validating and evaluating attribute certsMartin Willi2014-03-315-0/+356
| | | | | | This validator checks for any attribute certificate it can find for validated end entity certificates and tries to extract group membership information used for connection authorization rules.
* x509: Match acert has_subject() against entityName or holder serialMartin Willi2014-03-311-5/+25
| | | | | This allows us to find attribute certificates for a subject certificate in credential sets.
* pem: Support encoding of attribute certificatesMartin Willi2014-03-311-1/+6
| | | | | | | While there is no widely used PEM header for attribute certificates, at least IAIK-JCE uses BEGIN ATTRIBUTE CERTIFICATE: http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/utils/Util.html#toPemString(iaik.x509.attr.AttributeCertificate)
* x509: Replace the comma separated string AC group builder with a list based oneMartin Willi2014-03-311-5/+5
|
* x509: Integrate IETF attribute handling, and obsolete ietf_attributes_tMartin Willi2014-03-311-9/+184
| | | | | The ietf_attributes_t class is used for attribute certificates only these days, and integrating them to x509_ac_t simplifies things significantly.
* x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-311-3/+3
|
* x509: Skip parsing of acert chargingIdentity, as we don't use it anywayMartin Willi2014-03-311-9/+1
|
* x509: Fix some whitespaces and do some minor style cleanups in acertMartin Willi2014-03-311-72/+76
|
* openssl: Add default fallback when calculating fingerprints of RSA keysTobias Brunner2014-03-221-1/+15
| | | | | | We still try to calculate these directly as it can avoid a dependency on the pkcs1 or other plugins. But for e.g. PGPv3 keys we need to delegate the actual fingerprint calculation to the pgp plugin.
* Completed integration of ntru_crypto library into ntru pluginAndreas Steffen2014-03-2220-1707/+1165
|
* plugin-feature: Hash only the actually used feature argumentTobias Brunner2014-03-201-1/+31
| | | | | | | | Clang does not initialize padding in union members so hashing the complete "arg" union could lead to different hashes if the hashed plugin_feature_t does not have static storage duration. Fixes #549.
* plugin-loader: Properly initialize modular plugin list if no plugins are enabledTobias Brunner2014-03-181-0/+1
|
* Implemented ntru_private_key classAndreas Steffen2014-03-1814-1341/+1085
|
* 11 bits are needed to encode a maximum index of 1086Andreas Steffen2014-03-151-1/+1
|
* Refactored NTRU parameter set selectionAndreas Steffen2014-03-073-40/+47
|
* Refactored ntru_param_setsAndreas Steffen2014-03-079-246/+175
|
* Optimize ntru_poly constructors some more5.1.2Andreas Steffen2014-02-271-26/+24
|
* Optimized initialisation of indicesAndreas Steffen2014-02-271-50/+39
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 18:31:43 +0000