aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
Commit message (Collapse)AuthorAgeFilesLines
...
* unit-tests: The pseudonym RDN is now recognized, so use something more exoticTobias Brunner2016-01-281-3/+3
|
* Support pseudonym RDNAndreas Steffen2016-01-273-0/+5
|
* vici: list-cert sends subject, not-before and not-after attributes for pubkeysAndreas Steffen2016-01-091-0/+1
|
* vici: Support of raw public keysAndreas Steffen2016-01-092-0/+15
|
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-172-0/+117
|
* 128 bit default security strength for IKE and ESP algorithmsAndreas Steffen2015-12-171-19/+19
| | | | | | | | | | | | | | | | | The default ESP cipher suite is now AES_CBC-128/HMAC_SHA2_256_128 and requires SHA-2 HMAC support in the Linux kernel (correctly implemented since 2.6.33). The default IKE cipher suite is now AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 if the openssl plugin is loaded or AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 if ECC is not available. The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been deprecated and ENCR_CHACHA20_POLY1305 has been added to the default IKE AEAD algorithms.
* libstrongswan: Updated Android.mk to current Makefile.amTobias Brunner2015-12-141-1/+2
|
* 128 bit default security strength requires 3072 bit prime DH groupAndreas Steffen2015-12-143-16/+16
|
* Refactored certificate management for the vici and stroke interfaces5.4.0dr1Andreas Steffen2015-12-122-30/+130
|
* Changed some certificate_type_names and added x509_flag_namesAndreas Steffen2015-12-114-5/+37
|
* Allow msSmartcardLogon EKU to be builtAndreas Steffen2015-12-111-2/+2
|
* Print OCSP single responsesAndreas Steffen2015-12-113-5/+122
|
* Standardized printing of certificate informationAndreas Steffen2015-12-113-0/+653
| | | | | | | The certificate_printer class allows the printing of certificate information to a text file (usually stdout). This class is used by the pki --print and swanctl --list-certs commands as well as by the stroke plugin.
* array: Add an insert/create function for value based arraysMartin Willi2015-12-073-0/+68
|
* byteorder: Provide a fallback for le32toh/htole32()Martin Willi2015-12-041-0/+20
| | | | | Some older toolchains don't provide these macros, so implement them using the gcc builtins. We also provide 64-bit variants as used by chapoly.
* byteorder: Add 32-bit unaligned little-endian conversion functionsMartin Willi2015-12-042-21/+27
|
* watcher: Check for cancellation if poll() fails with EINTRMartin Willi2015-12-041-0/+7
| | | | | | | With LinuxThreads, poll() is unfortunately no cancellation point. It seems that poll gets woken up after cancellation, but we actively must check for cancellation before re-entering poll to properly shut down the watcher thread.
* sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not ↵Tobias Brunner2015-11-231-1/+4
| | | | | | in the set Fixes #1213.
* utils: Use the more low-level __NR_ prefix to refer to the syscall numberTobias Brunner2015-11-171-1/+1
| | | | The __NR_ constants are also defined in the Android headers.
* utils: Provide a fallback for sigwaitinfo() if neededTobias Brunner2015-11-133-30/+36
| | | | | Apparently, not available on Mac OS X 10.10 Yosemite. We don't provide this on Windows.
* revocation: Allow CRLs to be encoded in PEM formatTobias Brunner2015-11-121-1/+1
| | | | | | | | | | Since the textual representation for a CRL is now standardized in RFC 7468 one could argue that we should accept that too, even though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to be in DER format. But in particular for file URIs enforcing that seems inconvenient. Fixes #1203.
* curl: Be less strict when considering status codes as errorsTobias Brunner2015-11-121-3/+3
| | | | | | | For file:// URIs the code is 0 on success. We now do the same libcurl would do with CURLOPT_FAILONERROR enabled. Fixes #1203.
* auth-cfg: Prefer merged rules over existing ones when moving themTobias Brunner2015-11-121-3/+3
| | | | | | This is particularly important for single valued rules (e.g. identities). When copying values this is already handled correctly by the enumerator and add().
* android: Provide a fallback for sigwaitinfo()Tobias Brunner2015-11-121-1/+29
|
* android: Replace AndroidConfigLocal.h with a header in utils/compatTobias Brunner2015-11-124-5/+16
|
* settings: Add settings_value_as_uint64() helper functionTobias Brunner2015-11-113-0/+58
|
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-102-8/+7
|
* plugin-loader: Optionally use RTLD_NOW with dlopen()Tobias Brunner2015-11-091-6/+11
| | | | | | | | | This can be useful when writing custom plugins as typos or missing linker flags that result in unresolved symbols in the shared object could otherwise cause late crashes. In particular, if such a symbol is used in a code path that is rarely executed. During development and testing using RTLD_NOW instead of RTLD_LAZY will prevent the plugin from getting loaded and makes the error visible immediately.
* windows: Define RTLD_NOW, even if it is not usedTobias Brunner2015-11-091-0/+5
|
* iv-gen: Use NULL IV generator for NULL encryptionTobias Brunner2015-11-091-0/+5
| | | | | | | | | | | | We don't need an IV for NULL encryption, so we wouldn't technically need an IV generator. But some of the code currently relies on an IV generator to be present. So we don't have to change that code and handle IV size == 0 specially we use the new NULL IV generator, which handles this transparently to the existing code. Before 3c81cb6fc322 ("aead: Create AEAD using traditional transforms with an explicit IV generator") iv_gen_rand_t was used for NULL encryption, which would work too but this way it's clearer.
* crypto: Add NULL IV generatorTobias Brunner2015-11-094-1/+98
| | | | | This does not actually allocate an IV and only accepts requests for size == 0.
* testing: Updated hasher testsAndreas Steffen2015-11-062-4/+83
|
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-0611-86/+106
|
* Use word-aligned XOR in sha3_absorb()Andreas Steffen2015-11-031-4/+47
|
* Support BLISS signatures with SHA-3 hashAndreas Steffen2015-11-035-4/+43
|
* Implemented SHA-3 hash algorithm including test vectorsAndreas Steffen2015-11-039-0/+1029
|
* Defined SHA-3 hashersAndreas Steffen2015-11-033-10/+59
|
* random: Properly handle errors when reading from /dev/[u]randomTobias Brunner2015-10-291-0/+1
| | | | | | | | If -1 was returned on the first call to read() `done` got SIZE_MAX and the function returned TRUE even though no actual random data had been allocated. Fixes #1156.
* Replace usages of sigwait(3) with sigwaitinfo(2)Tobias Brunner2015-10-291-2/+1
| | | | | | | This is basically the same call, but it has the advantage of being supported by FreeBSD's valgrind, which sigwait() is not. References #1106.
* openssl: Explicitly include openssl/bn.hTobias Brunner2015-09-165-0/+5
| | | | | | | | If OpenSSL is compiled with OPENSSL_NO_DEPRECATED some of the headers we include don't include openssl/bn.h anymore. Therefore, we have to explicitly include it ourselves where we use BN_* functions. Fixes #1113.
* unit-tests: Add a test to verify that there is no partial matching of RDNsTobias Brunner2015-09-091-0/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2015-08-273-3/+3
|
* Fix some Doxygen issuesTobias Brunner2015-08-273-3/+3
|
* unit-tests: Additional test cases to increase coverageTobias Brunner2015-08-272-9/+611
|
* traffic-selector: Use calc_netbits() in RFC 3779 constructorTobias Brunner2015-08-271-2/+1
| | | | This properly detects prefixes encoded as ranges.
* auth-cfg: Don't enforce EAP_RADIUSTobias Brunner2015-08-211-1/+2
| | | | | Basically the same as e79b0e07e4ab. EAP_RADIUS is also a virtual method that will identify itself as a different EAP method later.
* mem-cred: We don't need a write lock when looking for a certificateTobias Brunner2015-08-201-1/+1
|
* mem-cred: Add a method to atomically replace all certificatesTobias Brunner2015-08-202-10/+58
|
* auth-cfg: Don't enforce EAP_DYNAMICTobias Brunner2015-08-201-1/+2
| | | | | We now store the actual method on the auth config, which won't match anymore if rightauth=eap-dynamic is configured.
* Defined PWG HCD IF-M attributesAndreas Steffen2015-08-182-3/+6
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 11:34:45 +0000