aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
Commit message (Collapse)AuthorAgeFilesLines
* Wipe auxiliary key store5.3.0Andreas Steffen2015-03-281-1/+1
|
* crypto-tester: Explicitly exclude FIPS-PRF from append mode testsMartin Willi2015-03-281-8/+11
| | | | | This was implicitly done by the seed length check before 58dda5d6, but we now require an explicit check to avoid that unsupported use.
* fips-prf: Fail when trying to use append mode on FIPS-PRFMartin Willi2015-03-281-1/+6
| | | | | Append mode hardly makes sense for the special stateful FIPS-PRF, which is different to other PRFs.
* cmac: Reset state before doing set_key()Martin Willi2015-03-271-0/+3
|
* af-alg: Reset hmac/xcbc state before doing set_key()Martin Willi2015-03-272-0/+2
|
* xcbc: Reset XCBC state in set_key()Martin Willi2015-03-271-0/+4
| | | | | If some partial data has been appended, a truncated key gets invalid if it is calculated from the pending state.
* hmac: Reset the underlying hasher before doing set_key() with longer keysMartin Willi2015-03-271-1/+2
| | | | | | | The user might have done a non-complete append, having some state in the hasher. Fixes #909.
* crypto-tester: Test set_key() after a doing a partial append on prf/signersMartin Willi2015-03-271-2/+20
| | | | | While that use is uncommon in real-world use, nonetheless should HMAC set a correct key and reset any underlying hasher.
* android: Sync libstrongswan Makefile.am and Android.mkTobias Brunner2015-03-251-0/+1
|
* diffie-hellman: Verify public DH values in backendsMartin Willi2015-03-237-1/+107
|
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-238-36/+41
|
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-238-19/+27
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-238-28/+26
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* unit-tests: Fix settings test after merging multi-line stringsTobias Brunner2015-03-231-2/+2
|
* unit-tests: Depend on SHA1/SHA256 features for mgf1 test casesMartin Willi2015-03-232-5/+16
|
* settings: Merge quoted strings that span multiple linesTobias Brunner2015-03-201-3/+2
|
* utils: Fix enum_flags_to_string parameter name to match Doxygen descriptionMartin Willi2015-03-191-1/+1
|
* Fixed two BLISS key type identifier stringsAndreas Steffen2015-03-161-2/+2
|
* files: Add simple plugin to load files from file:// URIsTobias Brunner2015-03-096-0/+300
|
* scheduler: Add method to remove all scheduled jobsTobias Brunner2015-03-092-5/+21
| | | | References #840.
* plugin-loader: Increase log level for warning about plugin features that ↵Tobias Brunner2015-03-091-3/+3
| | | | | | | | | failed to load Since we can't get rid of all unmet dependencies (at least not in every possible plugin configuration) the message is more confusing than helpful. In particular because a detailed warning about plugin features that failed to load due to unmet dependencies is only logged on level 2.
* pkcs11: Convert RFC 3279 ECDSA signatures when verifyingTobias Brunner2015-03-091-4/+33
| | | | References #873.
* pkcs11: Properly encode RFC 3279 ECDSA signaturesTobias Brunner2015-03-091-2/+19
| | | | Fixes #873.
* pkcs11: Properly encode EC_POINTs created on a tokenTobias Brunner2015-03-091-5/+8
| | | | | | | Some tokens might not fail when creating EC public keys in the incorrect format, but they will later not be able to use them to verify signatures. References #872.
* pkcs11: Properly handle EC_POINTs returned as ASN.1 octet stringTobias Brunner2015-03-091-1/+43
| | | | | | | This is the correct encoding but we internally only use unwrapped keys and some tokens return them unwrapped. Fixes #872.
* x509: Use subjectKeyIdentifier provided by issuer cert when checking CRL issuerTobias Brunner2015-03-061-18/+15
| | | | | | | | | Some CAs don't use SHA-1 hashes of the public key as subjectKeyIdentifier and authorityKeyIdentifier. If that's the case we can't force the calculation of the hash to compare that to authorityKeyIdentifier in the CRL, instead we use the subjectKeyIdentifier stored in the issuer certificate, if available. Otherwise, we fall back to the SHA-1 hash (or comparing the DNs) as before.
* hash-algorithm-set: Add class to manage a set of hash algorithmsTobias Brunner2015-03-044-1/+193
|
* credential-manager: Store BLISS key strength in auth configTobias Brunner2015-03-041-0/+3
|
* auth-cfg: Add BLISS key strength constraintTobias Brunner2015-03-042-21/+43
|
* public-key: Add helper to determine acceptable signature schemes for keysTobias Brunner2015-03-043-1/+122
|
* hasher: Add helper to determine hash algorithm from signature schemeTobias Brunner2015-03-042-0/+44
|
* public-key: Add helper to map signature schemes to ASN.1 OIDsTobias Brunner2015-03-042-3/+54
| | | | | | There is a similar function to map key_type_t and hasher_t to an OID, but this maps schemes directly (and to use the other function we'd have to have a function to map schemes to hash algorithms first).
* public-key: Add helper to determine key type from signature schemeTobias Brunner2015-03-042-0/+43
|
* hasher: Add filter function for algorithms permitted by RFC 7427Tobias Brunner2015-03-042-0/+30
|
* hasher: Redefine hash algorithms to match values defined by RFC 7427Tobias Brunner2015-03-042-27/+29
| | | | Other algorithms are defined in private use range.
* mem-cred: Add a method to unify certificate references, without adding itMartin Willi2015-03-032-0/+31
| | | | | In contrast to add_cert_ref(), get_cert_ref() does not add the certificate to the set, but only finds a reference to the same certificate, if found.
* enum: Extend printf hook to print flagsThomas Egerer2015-03-033-8/+286
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* unit-tests: Don't fail host_create_from_dns() test if IPv6 not supportedMartin Willi2015-03-021-4/+10
| | | | | On some systems, such as the Ubuntu daily build machine, localhost does not resolve to an IPv6 address. Accept such a lookup failure.
* bliss: Add generated Huffman codes to the repositoryTobias Brunner2015-03-025-14/+860
| | | | | | | | | | | | | While these files are generated they don't really change and are not architecture dependant. The previous solution prevented cross-compilation from the repository as `bliss_huffman` was built for the target system but was then executed on the build host to create the source files, which naturally was bound to fail. The `recreate-bliss-huffman` make target can be used inside the bliss directory to update the source files if needed. Fixes #812.
* Fixed compiler warningsAndreas Steffen2015-02-271-2/+3
|
* Allow SHA256 and SHA384 data hash for BLISS signatures.Andreas Steffen2015-02-269-26/+93
| | | | | The default is SHA512 since this hash function is also used for the c_indices random oracle.
* unit-tests: Completed BLISS testsAndreas Steffen2015-02-256-16/+668
|
* Check for null pointer before applying memwipe()Andreas Steffen2015-02-251-4/+10
|
* Implemented improved BLISS-B signature algorithmAndreas Steffen2015-02-257-47/+356
|
* host-resolver: Do not cancel threads waiting for new queries during cleanupMartin Willi2015-02-241-6/+8
| | | | | | | | | | | | | | | | While it is currently unclear why it happens, canceling threads waiting in the new_query condvar does not work as expected. The behavior is not fully reproducible: Either cancel(), join() or destroying the condvar hangs. The issue has been seen in the http-fetcher unit tests, where the stream service triggers the use of the resolver for "localhost" hosts. It is reproducible with any cleanup following a host_create_from_dns() use on a Ubuntu 14.04 x64 system. Further, the issue is related to the use of libunwind, as only builds with --enable-unwind-backtraces are affected. As we broadcast() the new_query condvar before destruction, a hard cancel() of these threads is actually not required. Instead we let these threads clean up themselves after receiving the condvar signal.
* host-resolver: Disable resolver thread cancellation by defaultMartin Willi2015-02-241-0/+3
| | | | | The default of new threads is cancellable, but the host-resolver thread code clearly expects the opposite.
* unit-tests: Add host_create_from_dns() test cases resolving "localhost"Martin Willi2015-02-241-0/+42
|
* plugin-loader: Do not unload libraries during dlclose(), if supportedMartin Willi2015-02-241-1/+9
| | | | | | | Unloading libraries calls any library constructor/destructor functions. Some libraries can't handle that in our excessive unit test use. GnuTLS leaks a /dev/urandom file descriptor, letting unit tests fail with arbitrary out-of-resources errors.
* unit-tests: Accept numerical protocol/port numbers in traffic selector testsMartin Willi2015-02-231-11/+16
|
* openssl: Return the proper IV length for OpenSSL cryptersTobias Brunner2015-02-231-1/+1
| | | | | | | For instance, the NULL cipher has a block size of 1 but an IV length of 0. Fixes #854.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 14:25:47 +0000