aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Automatic generation of optimized Huffman codesAndreas Steffen2014-12-097-0/+559
|
* unit-tests: added bliss_sampler testAndreas Steffen2014-12-093-0/+99
|
* Expanded bliss_bitpacker to 32 bitsAndreas Steffen2014-12-095-41/+39
|
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-296-7/+15
| | | | pki tool
* Applied bit packing to BLISS public keyAndreas Steffen2014-11-295-55/+68
|
* Wipe BLISS private key memoryAndreas Steffen2014-11-291-2/+8
|
* Created bliss_bitpacker class to encode BLISS signaturesAndreas Steffen2014-11-298-46/+464
|
* Skip the unused bits field of the ASN.1 BIT STRING encodingAndreas Steffen2014-11-291-1/+1
|
* Store NTT A of BLISS public key aAndreas Steffen2014-11-292-28/+24
|
* unit-tests: created bliss_sign test suiteAndreas Steffen2014-11-295-1/+91
|
* Finished BLISS signature generationAndreas Steffen2014-11-2912-157/+1170
|
* Implemented Gaussian rejection samplerAndreas Steffen2014-11-296-16/+496
| | | | | The bliss_sampler class uses the mgf1_bitspender as a pseudo-random source.
* Implemented get_byte() method for mgf1_bitspender classAndreas Steffen2014-11-291-2/+1
| | | | | | The new get_byte() method returns a pseudo-random byte at a time. Changed the get_bits() interface to the same interface as get_byte(). Updated the mgf1 unit-tests accordingly.
* Added support for BLISS-IIIAndreas Steffen2014-11-291-2/+17
|
* Started implementing BLISS signature generationAndreas Steffen2014-11-293-15/+9
|
* Store and parse BLISS private and public keys in DER and PEM formatAndreas Steffen2014-11-295-27/+419
| | | | | | | | Additionally generate SHA-1 fingerprints of raw BLISS subjectPublicKey and subjectPublicKeyInfo objects. Some basic functions used by the bliss_public_key class are shared with the bliss_private_key class.
* Use mgf1_bitspender in ntru_poly_create_from_seedAndreas Steffen2014-11-292-52/+16
|
* Use mgf1_bitspender to generate random secret keyAndreas Steffen2014-11-291-280/+226
|
* unit-tests: Added bliss_fft test suiteAndreas Steffen2014-11-295-0/+193
|
* Moved mgf1 class to libstrongswan/crypto/mgf1Andreas Steffen2014-11-295-267/+7
|
* Defined BLISS I and IV parameter setsAndreas Steffen2014-11-294-19/+365
|
* Implemented Number Theoretic Transform using the FFT algorithmAndreas Steffen2014-11-298-3/+869
| | | | | | By pre-multiplying the input arrays with a linear phase the fast multiplication via FFT and inverse FFT computes a negative wrapped convolution corresponding to a modulus of x^n+1.
* Created framework for BLISS post-quantum signature algorithmAndreas Steffen2014-11-297-0/+625
|
* constraints: Use a more specific FQDN/email name constraint matchingMartin Willi2014-10-301-22/+73
| | | | | | | While RFC 5280 is not very specific about the matching rules of subjectAltNames, it has some examples how to match email and FQDN constraints. We try to follow these examples, and restrict DNS names to subdomain matching and email to full email, host or domain matching.
* constraints: Don't reject certificates with invalid certificate policiesMartin Willi2014-10-301-25/+97
| | | | | | | | | | | | Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations. A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore.
* curl: For SSL features, depend on thread-safety provided by our crypto pluginsMartin Willi2014-09-243-7/+57
| | | | | | | | | To use SSL in curl, we need to initialize the SSL library in a thread-safe manner and provide the appropriate callbacks. As we already do that in our crypto plugins using these libraries, we depend on these features. This implies that we need the same plugin enabled (openssl, gcrypt) as the curl backend is configured to use to fetch from HTTPS URIs.
* curl: Dynamically query supported protocols and register appropriate featuresMartin Willi2014-09-241-10/+64
|
* curl: Try to initialize with SSL support to handle https:// URIsMartin Willi2014-09-241-1/+6
| | | | If initialization fails, we fall back to the old behavior.
* plugin-loader: Support a reload() callback for static featuresMartin Willi2014-09-222-4/+35
|
* curl: Log error code tooTobias Brunner2014-09-091-2/+5
| | | | It seems libcurl does not always return an error message.
* openssl: Report correct key length for EC keys when not using NIST curvesTobias Brunner2014-09-022-22/+2
| | | | Fixes #688.
* winhttp: Do not use countof() on pointer argumentTobias Brunner2014-07-021-1/+1
|
* gcrypt: Use predefined pthread locking functions instead of custom hooksMartin Willi2014-07-011-50/+4
| | | | | | | | | | | | | Starting with libgcrypt 1.6, it seems that custom locking functions are not supported anymore. Instead, the user has to select from one of the pre-defined set of locking functions. Given that we have a proper threading abstraction API with optional profiling on all platforms, this is somewhat annoying. However, there does not seem to be a way to use custom functions, and we have no other choice than using the provided macro magic to support all libgcrypt versions. Fixes #630.
* charon: Set CLOEXEC flag on daemon PID file and /dev/(u)random source FDsMartin Willi2014-06-241-0/+5
| | | | | | | | | | | | | On Fedora, SELinux complains about these open file descriptors when the updown script invokes iptables. While it seems difficult to set the flag on all file descriptors, this at least fixes those covered by the SELinux policy. As these two cases are in code executed while the daemon is still single threaded, we avoid the use of atomic but not fully portable fdopen("e") or open(O_CLOEXEC) calls. Fixes #519.
* winhttp: Fix a typo to properly release connection handleMartin Willi2014-06-191-1/+1
| | | | Fixes a rather large memory leak in HTTP fetches.
* sshkey: Fix loading of ECDSA keys from filesTobias Brunner2014-06-182-3/+3
|
* sshkey: Add support to parse SSH public keys from files with left|rightsigkeyTobias Brunner2014-06-183-3/+59
|
* winhttp: Support basic authentication for URLs having credentialsMartin Willi2014-06-041-3/+23
|
* winhttp: Support new response code fetcher optionMartin Willi2014-06-041-0/+34
|
* winhttp: Implement a http(s) fetcher based on Microsofts WinHTTP APIMartin Willi2014-06-045-0/+522
|
* x509: Check return value when signing attribute certificatesMartin Willi2014-06-041-9/+16
| | | | | | In addition that this lets AC generation fail properly if private key signing fails, it also fixes an issue when compiling on Windows with MinGW 4.8.1, where for some reason the attributeCertificateInfo got encoded incorrectly.
* openssl: Don't re-enter FIPS mode if we are already using itMartin Willi2014-06-041-2/+3
| | | | | | If FIPS mode has been enabled by other means, under some environments it can't be entered again. It fails with "FIPS mode already set". To avoid it, we first check the mode before changing it.
* openssl: Be less verbose about FIPS mode when not running as daemonMartin Willi2014-06-041-2/+2
| | | | | While this is valuable information, printing it for pki and other tools is annoying.
* sqlite: Avoid name clash when building on WindowsMartin Willi2014-06-041-2/+2
|
* mysql: Add Windows supportMartin Willi2014-06-042-5/+8
| | | | | | As the mysql_config script is not available for Windows, we use a hardcoded library name and no additional CFLAGS. This builds fine against the binary MySQL Connector/C distribution.
* openssl: Fix includes to prevent <winsock2.h> to complain about include orderMartin Willi2014-06-042-6/+8
|
* openssl: Undef OpenSSLs X509_NAME defined by <wincrypt.h>Martin Willi2014-06-041-0/+6
|
* openssl: Check and link against libeay32 instead of libcrypto on WindowsMartin Willi2014-06-041-1/+1
| | | | Most Windows OpenSSL builds come with the crypto library named libeay32.
* sha1: Include <library.h> instead of directly including <arpa/inet.h>Martin Willi2014-06-042-4/+3
| | | | On Windows we don't have <arpa/inet.h>
* x509: Undef OCSP_RESPONSE from <wincrypt.h> before using itMartin Willi2014-06-041-0/+5
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 19:20:12 +0000